TPavanBalaji
commented
3 months ago @lnreddy04 Thanks for your feedback! We will investigate and update as appropriate.
Open lnreddy04 opened 3 months ago
TPavanBalaji
commented
3 months ago @lnreddy04 Thanks for your feedback! We will investigate and update as appropriate.
Naveenommi-MSFT
commented
3 months ago @lnreddy04 Thank you for bringing this to our attention. I've delegated this to content author @schaffererin, who will review it and offer their insightful opinions.
Naveenommi-MSFT
commented
3 months ago @schaffererin Could you please review add comments on this, update as appropriate.
bansri29
commented
2 months ago @schaffererin do we have any update on this issue? I am working with the same feature and wanted to know how to get and configure the lifetime of the certs.
miwithro
commented
2 months ago Hello @lnreddy04 @bansri29, The OIDC issuer service account key rotation is managed by AKS and is not configurable. By default, the expiration time of the service account signing key (SA signing key) is 90 days and we would trigger the rotation around the 80% of the expiration time. Is this sufficient or is there a need to have this configurable from a user perspective?
aperona-hai
commented
2 months ago Hi! I believe we are hitting an issue related with this and AKS. We are using kubernetes serviceAccounts with WorkloadIdentity which relies in oidc.
The issue we are seeing is that the generated svc account token has 1 year of expiration, but it looks like the signing keys get rotated way before token expiration. This leads to having a "valid" non expired token thats is actually invalid since it cannot be verified any more ( signing key gone ).
I'm not sure if there is any possible action to take on oidc side, we will try handling it in our app.
Just wanted to mention it since I came accross this isssue while debugging why k8s api was throwing a 401 with an unexpired token
lnreddy04
commented
2 months ago I kept searching, will this command allows us to configure key life time by using oidc-issuer-signing-key-rotation-period ?
az aks create -g myResourceGroup -n myAKSCluster --node-count 1 --enable-oidc-issuer --oidc-issuer-signing-key-rotation-period 5184000
lnreddy04
commented
2 months ago Hi! I believe we are hitting an issue related with this and AKS. We are using kubernetes serviceAccounts with WorkloadIdentity which relies in oidc.
The issue we are seeing is that the generated svc account token has 1 year of expiration, but it looks like the signing keys get rotated way before token expiration. This leads to having a "valid" non expired token thats is actually invalid since it cannot be verified any more ( signing key gone ).
I'm not sure if there is any possible action to take on oidc side, we will try handling it in our app.
Just wanted to mention it since I came accross this isssue while debugging why k8s api was throwing a 401 with an unexpired token
token lifetime should not be more then key life time, is there a aks flag to change the token expiry ?
[Enter feedback here] There is no explanation on how often aks oidc-issuer signing keys are auto rotated and how to configure rotation frequency or the lifetime of oidc signing cert.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.