Skip to content
Snippets Groups Projects
Unverified Commit afbabebf authored by emiran-orange's avatar emiran-orange Committed by GitHub
Browse files

Enables Calico serviceAccount token monitoring and update of... 

Enables Calico serviceAccount token monitoring and update of /etc/cni/net.d/calico-kubeconfig if need be. (#7586)

Since K8S 1.21, BoundServiceAccountTokenVolume feature gate is in beta stage, thus activated by default (anyone who follows CSI guidelines has enabled AllAlpha and faced the issue before 1.21).
With this feature, SA tokens are regenerated every hour.
As a consequence for Calico CNI, token in /etc/cni/net.d/calico-kubeconfig copied from /var/run/secrets/kubernetes.io/serviceaccount in install-cni initContainer expires after one hour and any pod creation fails due to unauthorization.
Calico pods need to be restarted so that /etc/cni/net.d/calico-kubeconfig is updated with the new SA token.
parent 8c0a2741
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment