Bug 1905328 - Changing the bound token service account issuer invalids previously issued bound tokens
Summary: Changing the bound token service account issuer invalids previously issued bo...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.7
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.7.0
Assignee: Maru Newby
QA Contact: scheng
URL:
Whiteboard:
Depends On:
Blocks: 1905573
TreeView+ depends on / blocked
 
Reported: 2020-12-08 03:31 UTC by Maru Newby
Modified: 2021-02-24 15:40 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
Cause: Changing the serviceAccountIssuer field of the authentication resource will update the kube-apiserver to validate tokens with the new issuer and reject tokens with the previous issuer. kube-apiserver does not support multiple issuers at this time, so a graceful transition is not possible. Consequence: Changing the serviceAccountIssuer has the potential to disrupt applications relying on bound tokens. Unless an application is coded to explicitly request a new token when their existing token starts receiving 401 responses from the apiserver, they will continue to use the invalid token until restarted or until their invalid token exceeds 80% of its duration (at which point the kubelet will request a new token for them). Workaround (if any): Only change the serviceAccountIssuer field if disruption is acceptable and restarting all pods is an option.
Clone Of:
: 1905573 (view as bug list)
Environment:
Last Closed: 2021-02-24 15:40:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift api pull 815 0 None closed Bug 1905328: Add warning of the consequences of changing bound token issuer 2021-02-06 08:13:03 UTC
Github openshift cluster-config-operator pull 173 0 None closed Bug 1905328: Add warning of the consequences of changing bound token issuer 2021-02-06 08:13:03 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:40:50 UTC

Description Maru Newby 2020-12-08 03:31:17 UTC 
Changing the serviceAccountIssuer field of the authentication resource will update the kube-apiserver to validate tokens with the new issuer and reject tokens with the previous issuer. This has the potential to disrupt applications relying on bound tokens. Unless an application is coded to explicitly request a new token when their existing token starts receiving 401 responses from the apiserver, they will continue to use the invalid token until restarted or until their invalid token exceeds 80% of its duration (at which point the kubelet will request a new token for them).

A likely fix for 4.8 is ensuring the apiserver supports a graceful transition between 2 issuers. For 4.7, 4.6, and 4.5, the near-term remedy is to document the impact of a change in issuer and ensure the compatibility of control plane components like controller manager with an issuer change.
Comment 3 Xingxing Xia 2020-12-10 02:27:07 UTC 
Assigning back for bumping PR to bump the dependency to the right repo.
Comment 8 errata-xmlrpc 2021-02-24 15:40:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633
Note You need to log in before you can comment on or make changes to this bug.