Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
createOrReplace Service Account leaks secret tokens
See original GitHub issueHi,
We are facing an issue that our code is regularly calling createOrReplace on a service account to make sure that it stays up to date, but it seems that on each call we are generating a new token without clearing out the old:
elastic-operator-token-stx62 kubernetes.io/service-account-token 3 97d
elastic-operator-token-svl9g kubernetes.io/service-account-token 3 201d
elastic-operator-token-swv6z kubernetes.io/service-account-token 3 120d
elastic-operator-token-sztz2 kubernetes.io/service-account-token 3 70d
elastic-operator-token-t47x6 kubernetes.io/service-account-token 3 247d
elastic-operator-token-t4ccc kubernetes.io/service-account-token 3 75d
elastic-operator-token-t4mfl kubernetes.io/service-account-token 3 124d
elastic-operator-token-t584b kubernetes.io/service-account-token 3 108d
elastic-operator-token-t6pg5 kubernetes.io/service-account-token 3 252d
...
Is this expected behavior? I would expect that createOrReplace also deletes this service account token when deleting the service account? Or is there an alternative function call that we should use?
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
BIG change in K8s 1.24 about ServiceAccounts and their ...
When a ServiceAccount is created, no more Secret is created automatically; Pods still have a token inside by default belonging to their ServiceAccount...
Read more >privacyIDEA Authentication System
A device or item used to authenticate is still called a “token”. All token information is stored in an SQL database, while you...
Read more >Artifactory Release Notes - JFrog - JFrog Documentation
Fixed an issue relating to Docker login whereby, the default identity tokens expiration time was too long (30 days), and has now been...
Read more >Search Results - CVE
Versions of Grafana for endpoints prior to 9.1.8 and 8.5.14 could leak authentication tokens to some destination plugins under some conditions.
Read more >Azure - Databricks Knowledge Base
Unable to mount Azure Data Lake Storage Gen1 account ... Note Azure Databricks cluster nodes must have a metrics service installed.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
The yaml you are using to create the service account does not have the secrets specified correct? This is a similar issue to #3122 - the kubernetes logic acts upon the PUT independently of the existing item. My guess is that to workaround you need to use a patch, or that some logic - either in your application, or through an enhancement here - would need to check for the existence of the service account and update the object with the existing secrets if none were specified. Related to using a patch instead is that you may be expecting createOrReplace to behave like kubectl apply, but it does not #3420 - kubectl’s logic, which will produce patches, rather than puts, does not trigger the creation of a new secret.
This issue has been automatically marked as stale because it has not had any activity since 90 days. It will be closed if no further activity occurs within 7 days. Thank you for your contributions!