All Products
Search
Document Center

Container Service for Kubernetes:[Product Changes] Solutions for service account token expiration in Kubernetes 1.22 and later

Last Updated:Aug 21, 2023

In Kubernetes 1.22 and later, the validity period of a service account token is one year. The kubelet automatically renews service account tokens before they expire. However, if the client-go version is earlier than 11.0.0 or 0.15.0, the system does not automatically reload service account tokens. As a result, the service account tokens expire when the validity period ends. This topic describes the impacts of service account token expiration in Container Service for Kubernetes (ACK) clusters that run Kubernetes 1.22 or later and the solution.

To ensure data security, the BoundServiceAccountTokenVolume feature is enabled by default in Kubernetes 1.21. This feature specifies the validity period of service account tokens, automatically renews service account tokens before they expire, and invalidates service account tokens after the pods to which the tokens are bound are deleted. If the client-go version is 11.0.0 or later or 0.15.0 or later, the kubelet automatically reloads service account tokens from disks to renew the tokens. To ensure forward compatibility, you can continue to use a token for one year after it expires. After the token expires, if the client-go version is earlier than 11.0.0 or 0.15.0, the system does not automatically renew the token. The following error is prompted when a service account token expires:

# The component log.
Error listing resources error=Unauthorized
# The access log of the Kubernetes API server of the cluster.
"Unable to authenticate the request" err="[invalid bearer token, Token has expired.]"

Restart the component pod to allow client-go to obtain the new token.

Scope of impacts

Applications that run in clusters of Kubernetes 1.22 or later and use client versions earlier than 11.0.0 or 0.15.0 are affected.

Impacts

  • In clusters that run Kubernetes 1.22 or later, service account tokens may not be reloaded one year after they expire if the client-go version is earlier than 11.0.0 or 0.15.0.

  • One year after you update the Kubernetes version of a cluster to 1.22 or later, the service account tokens that are bound to an existing application expire if you do not update or restart the application.

Solution

Applications that use ACK components

By default, ACK components are pre-installed with the latest version of client-go. If the client-go version of an ACK component is not up-to-date, you can update the component to update the client-go version.

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster that you want to manage and choose Operations > Add-ons in the left-side navigation pane.

  3. On the Add-ons page, find the component that you want to update and click Upgrade.

Applications that do not use ACK components

To temporarily resolve this issue, restart the application. To permanently resolve this issue, update the client-go version to 11.0.0 or later or 0.15.0 or later for the application. This way, the application automatically reloads the service account tokens that are bound to the application.