Skip to content

Empty kubernetes token randomly #84

@antoinetran

Description

@antoinetran

Issue:

Randomly (once per day?), the pod ask for a Kubernetes token (of the service account), as a projectedVolumeMap. The token is empty:

[trana@XX]$ cat projectedVolumeMaps/kube-api-access-dpc79/token
[trana@XX]$ od -a projectedVolumeMaps/kube-api-access-dpc79/token
0000000

Expected result:

The token is not empty. Eg (shortened for readiness):

[trana@XX]$ cat projectedVolumeMaps/kube-api-access-dpc79/token
eyJhbGciOiJSUzI1NiIsImtpZCI6IjBqXzRNTWEyN3FVTzM1aW5............................................

How to reproduce:

Probably run lots lots of pods with a projectedVolumeMap:

apiVersion: v1
kind: Pod
metadata:
  name: test-token
spec:
  affinity:
    nodeAffinity:
      preferredDuringSchedulingIgnoredDuringExecution:
      - preference:
          matchExpressions:
          - key: kubernetes.io/arch
            operator: In
            values:
            - arm64
            - amd64
          - key: kubernetes.io/hostname
            operator: In
            values:
            - interlink-slurm-node
        weight: 1
  initContainers:
  - command:
    - /bin/sh
    - -c
    - |
      find /var/run/secrets/kubernetes.io/serviceaccount
      ls -al /var/run/secrets/kubernetes.io/serviceaccount
      cat /var/run/secrets/kubernetes.io/serviceaccount/token
    image: alpine
    name: init
    resources:
      limits:
        cpu: 100m
        memory: 128Mi
      requests:
        cpu: 50m
        memory: 16Mi
    volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-j5rc5
      readOnly: true
  restartPolicy: Never
  serviceAccount: default
  serviceAccountName: default
  tolerations:
  - key: virtual-node.interlink/no-schedule
    operator: Exists
  - effect: NoExecute
    key: node.kubernetes.io/not-ready
    operator: Exists
    tolerationSeconds: 300
  - effect: NoExecute
    key: node.kubernetes.io/unreachable
    operator: Exists
    tolerationSeconds: 300
  volumes:
  - name: kube-api-access-j5rc5
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token

The other volumes, including ca.crt was correctly filled. Only token was empty.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions