From 2d794f6c8e17f7fe23f68a286fabf1c4992e4926 Mon Sep 17 00:00:00 2001 From: Michele Sorcinelli Date: Wed, 18 May 2022 15:44:38 +0100 Subject: [PATCH] Fix stale serviceaccount tokens Kubernetes version 1.21 graduated BoundServiceAccountTokenVolume feature to beta and enabled it by default. This feature improves security of service account tokens by requiring a one hour expiry time, over the previous default of no expiration. This means that applications that do not refetch service account tokens periodically will receive an HTTP 401 unauthorized error response on requests to Kubernetes API server with expired tokens https://github.com/kubernetes/enhancements/issues/542 This commit forces kube-schedule-scaler to refresh token every minute, and acts as workaround at least until pykube-ng implements automatic token renewal. --- schedule_scaling/main.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/schedule_scaling/main.py b/schedule_scaling/main.py index 8e17503..c4b4113 100755 --- a/schedule_scaling/main.py +++ b/schedule_scaling/main.py @@ -23,9 +23,6 @@ def get_kube_api(): return pykube.HTTPClient(pykube.KubeConfig.from_env()) -api = get_kube_api() - - def deployments_to_scale(): """ Getting the deployments configured for schedule scaling """ deployments = [] @@ -193,6 +190,9 @@ def scale_hpa(name, namespace, min_replicas, max_replicas): if __name__ == "__main__": logging.info("Main loop started") while True: + global api + api = get_kube_api() + logging.debug("Waiting until the next minute") sleep(get_wait_sec()) logging.debug("Getting deployments")