external-secrets/kubernetes-external-secrets

Pod is using stale tokens

albertschwarzkopf opened this issue · 1 comments

Hi,

the "Bound Service Account Token Volume" is graduated to stable and enabled by default in Kubernetes version 1.22.
I am using "kubernetes-external-secrets:8.5.5" in AWS EKS 1.22 and I have checked, if it is using stale tokens (regarding https://docs.aws.amazon.com/eks/latest/userguide/kubernetes-versions.html and https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting.html#troubleshooting-boundservicetoken).

So when the API server receives requests with tokens that are older than one hour, then it annotates the pod with "annotations.authentication.k8s.io/stale-token". In my case I can see the following annotation. E.g.:

"annotations":{"authentication.k8s.io/stale-token":"subject: system:serviceaccount:kube-external-secrets:external-secrets-oidc, seconds after warning threshold: 424"

Version:

kubernetes-external-secrets:8.5.5

Cluster Details:

AWS EKS 1.22

Steps to reproduce issue

  • Enable EKS Audit Logs
  • Query CW Insights (select cluster log group):
fields @timestamp
| filter @message like /seconds after warning threshold/
| parse @message "subject: *, seconds after warning threshold:*\"" as subject, elapsedtime   

See