liggitt
commented
1 month ago When a client-go client is constructed pointing at a token file (as the default in-cluster config does), it re-reads that token once a minute:
As long as the token on disk is refreshed at least a minute prior to expiration (which the kubelet automatically handles for tokens injected into pods), the client re-reads a refreshed token and starts using it for requests without being interrupted.
Requests are only authenticated when they are initialized, so if a single request lives longer than the token lifetime (like a watch request), the token expiration does not cause any issues.
We are using Go Kubernetes client . Recently we have some token expiration issue for some deployment running for more than 1 years.
Calico issue: https://github.com/projectcalico/calico/pull/5910 Java-client issue: https://github.com/fabric8io/kubernetes-client/pull/4264
This is because K8s had some change for service account token renew Since k8s 1.21, service account tokens have an lifespan of one hour (short-lived & rotation). The token expiration is 365 days actually.
I am wondering for GO client code with watch client? watch client will renew the token? or get 401 to renew the token?