Kubernetes credentials can only be refreshed once per Kubernetes API object, and can eventually expire, leading to Unauthorized errors from the Kubernetes API

Description

See https://github.com/kubernetes-client/python/issues/741

The Kubernetes module establishes some credentials at startup but never refreshes them during the life of the program.

When the credentials expire, (and we start getting

401 Unauthorized

-s), we need to call

load_kube_config()

again (if that's how we got our credentials) and replace all the API clients.

Alternately, we could re-load the config and re-make the client at every use of Kubernetes, or just reload the config "sufficiently often" and remake the clients on every use, or something.

@glennhickey is seeing problems due to this (I think) on our Kubernetes cluster after an hour.

A workaround is running with service account credentials, which don't expire.

┆Issue is synchronized with a GitHub issue
┆Repository Name: toil
┆Issue Number: 2867

Activity

Show:

Done

Details
Assignee
Adam Novak
Reporter
Sync Bot
Sprint
None
Priority
Medium

Checklist

Created November 18, 2019 at 9:59 PM

Updated October 19, 2021 at 8:40 PM

Resolved December 5, 2019 at 9:29 PM

Configure

Kubernetes credentials can only be refreshed once per Kubernetes API object, and can eventually expire, leading to Unauthorized errors from the Kubernetes API

Description

Activity

DetailsAssigneeAdam NovakAdam NovakReporterSync BotSync BotSprintNone+1PriorityMedium

Details

Assignee

Reporter

Sprint

Priority

ChecklistOpen Checklist

Checklist

Details
Assignee
Adam Novak
Reporter
Sync Bot
Sprint
None
Priority
Medium

Checklist