You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/bound-sa-tokens-configuring.adoc
+16-5Lines changed: 16 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,7 +23,7 @@ This step is typically not required if the bound tokens are used only within the
23
23
====
24
24
If you change the service account issuer to a custom one, the previous service account issuer is still trusted for the next 24 hours.
25
25
26
-
If necessary, you can manually restart all pods in the cluster so that the holder will request a new bound token. Before doing this, wait for a new revision of the Kubernetes API server pods to roll out with your service account issuer changes.
26
+
You can force all holders to request a new bound token either by manually restarting all pods in the cluster or by performing a rolling node restart. Before performing either action, wait for a new revision of the Kubernetes API server pods to roll out with your service account issuer changes.
27
27
====
28
28
29
29
.. Edit the `cluster` `Authentication` object:
@@ -44,9 +44,7 @@ spec:
44
44
45
45
.. Save the file to apply the changes.
46
46
47
-
.. Optional: Manually restart all pods in the cluster so that the holder will request a new bound token.
48
-
49
-
... Wait for a new revision of the Kubernetes API server pods to roll out. It can take several minutes for all nodes to update to the new revision. Run the following command:
47
+
.. Wait for a new revision of the Kubernetes API server pods to roll out. It can take several minutes for all nodes to update to the new revision. Run the following command:
50
48
+
51
49
[source,terminal]
52
50
----
@@ -67,13 +65,26 @@ If the output shows a message similar to one of the following messages, the upda
67
65
**`3 nodes are at revision 11; 0 nodes have achieved new revision 12`
68
66
**`2 nodes are at revision 11; 1 nodes are at revision 12`
69
67
70
-
... Manually restart all pods in the cluster:
68
+
.. Optional: Force the holder to request a new bound token either by performing a rolling node restart or by manually restarting all pods in the cluster.
69
+
70
+
*** Perform a rolling node restart:
71
+
+
72
+
[WARNING]
73
+
====
74
+
It is not recommended to perform a rolling node restart if you have custom workloads running on your cluster, because it can cause a service interruption. Instead, manually restart all pods in the cluster.
75
+
====
76
+
+
77
+
Restart nodes sequentially. Wait for the node to become fully available before restarting the next node. See _Rebooting a node gracefully_ for instructions on how to drain, restart, and mark a node as schedulable again.
78
+
79
+
*** Manually restart all pods in the cluster:
71
80
+
72
81
[WARNING]
73
82
====
74
83
Be aware that running this command causes a service interruption, because it deletes every running pod in every namespace. These pods will automatically restart after they are deleted.
75
84
====
76
85
+
86
+
Run the following command:
87
+
+
77
88
[source,terminal]
78
89
----
79
90
$ for I in $(oc get ns -o jsonpath='{range .items[*]} {.metadata.name}{"\n"} {end}'); \
0 commit comments