Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Kubernetes credentials can only be refreshed once per Kubernetes API object, and can eventually expire, leading to Unauthorized errors from the Kubernetes API #2867

Closed
adamnovak opened this issue Nov 18, 2019 · 0 comments · Fixed by #2869
Closed

Kubernetes credentials can only be refreshed once per Kubernetes API object, and can eventually expire, leading to Unauthorized errors from the Kubernetes API #2867

adamnovak opened this issue Nov 18, 2019 · 0 comments · Fixed by #2869
Assignees
@adamnovak

Comments

@adamnovak
Copy link
Member

adamnovak commented Nov 18, 2019
edited by unito-bot
Loading

See kubernetes-client/python#741

The Kubernetes module establishes some credentials at startup but never refreshes them during the life of the program.

When the credentials expire, (and we start getting 401 Unauthorized-s), we need to call load_kube_config() again (if that's how we got our credentials) and replace all the API clients.

Alternately, we could re-load the config and re-make the client at every use of Kubernetes, or just reload the config "sufficiently often" and remake the clients on every use, or something.

@glennhickey is seeing problems due to this (I think) on our Kubernetes cluster after an hour.

A workaround is running with service account credentials, which don't expire.

┆Issue is synchronized with this Jira Task
┆Issue Number: TOIL-460
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@adamnovak adamnovak

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Constantly reload Kubernetes config DataBiosphere/toil
1 participant
@adamnovak