Support re-reading apiserver token at a set interval / built-in support for in-cluster config #98
Comments
|
Should take a look at #62 at the same time. It might be that the best option is to use the official clients config loading mechanism. I've had a look at it earlier, and looks possible to get something working, either by loading a config that we can use as we do today or even changing from using |
|
I've opened #104 to address this. I'm not sure it is necessary to couple this to #62 right now since as I understand it, using the official client library's config loading mechanism right now would require a dependency on the full client library. That doesn't seem like a ideal solution to me. |
|
#104 is included in release v0.20.0+. |
Starting from Kubernetes 1.21, the
BoundServiceAccountTokenVolumefeature is enabled by default. This means that the service account token at/var/run/secrets/kubernetes.io/serviceaccount/token, will be temporary and will expire after some time period. Because of this, the token must be re-read from file periodically to ensure that the client can continue to have valid authentication for requests to the apiserver. The changelog recommends reading the token every 1 minute.Currently in-cluster configuration with this client is typically handled at the application level, i.e. applications using in-cluster configuration read the service account token from file on startup and use that to set
config.api_token. To avoid having to reimplement the same token refresh mechanism in each application using the client, it probably makes sense to implement some level of support for in-cluster configuration in the client, including periodically refreshing the service account token from file.The text was updated successfully, but these errors were encountered: