Skip to content

fix(linkerd-cni): improve SA token rotation detection #478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
alpeb merged 2 commits into from
Feb 20, 2025
Merged

fix(linkerd-cni): improve SA token rotation detection #478

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d012adb
fix(linkerd-cni): improve SA token rotation detection
alpeb Feb 17, 2025
7166afe
typo
alpeb Feb 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 19 additions & 14 deletions cni-plugin/deployment/scripts/install-cni.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -277,21 +277,26 @@ monitor_cni_config() {
done
}

# Kubernetes rolls out serviceaccount tokens by creating new directories
# containing a new token file and re-creating the
# /var/run/secrets/kubernetes.io/serviceaccount/token symlink pointing to it.
# This function listens to creation events under the serviceaccount directory,
# only reacting to direct creation of a "token" file, or creation of
# directories containing a "token" file.
# This function detects whether the service account token was rotated by
# listening to MOVED_TO events under the directory
# /var/run/secrets/kubernetes.io/serviceaccount, detecting whether the ..data
# directory was moved to, as recommended by k8s' atomic writer:
# > Consumers of the target directory can monitor the ..data symlink using
# > inotify or fanotify to receive events when the content in the volume is
# > updated.
# Indeed, as per atomic writer's Write function docs, in the final steps the
# ..data_tmp symlink points to a new timestamped directory containing the new
# files, which is then atomically renamed to ..data:
# > 8. A symlink to the new timestamped directory ..data_tmp is created that will
# > become the new data directory.
# > 9. The new data directory symlink is renamed to the data directory; rename is atomic.
# See https://github.com/kubernetes/kubernetes/blob/release-1.32/pkg/volume/util/atomic_writer.go
monitor_service_account_token() {
inotifywait -m "${SERVICEACCOUNT_PATH}" -e create |
while read -r directory _ filename; do
target=$(realpath "$directory/$filename")
if [[ (-f "$target" && "${target##*/}" == "token") || (-d "$target" && -e "$target/token") ]]; then
log "Detected creation of file in $directory: $filename; recreating kubeconfig file"
create_kubeconfig
else
log "Detected creation of file in $directory: $filename; ignoring"
inotifywait -m "${SERVICEACCOUNT_PATH}" -e moved_to |
while read -r _ _ filename; do
if [[ "$filename" == "..data" ]]; then
log "Detected change in service account files; recreating kubeconfig file"
create_kubeconfig
fi
done
}
Expand Down