You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/bound-sa-tokens-configuring.adoc
+41-9Lines changed: 41 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,15 +23,7 @@ This step is typically not required if the bound tokens are used only within the
23
23
====
24
24
If you update the `serviceAccountIssuer` field and there are bound tokens already in use, all bound tokens with the previous issuer value will be invalidated. Unless the holder of a bound token has explicit support for a change in issuer, the holder will not request a new bound token until pods have been restarted.
25
25
26
-
If necessary, you can use the following command to manually restart all pods in the cluster. Be aware that running this command causes a service interruption, because it deletes every running pod in every namespace. These pods will automatically restart after they are deleted.
27
-
28
-
[source,terminal]
29
-
----
30
-
$ for I in $(oc get ns -o jsonpath='{range .items[*]} {.metadata.name}{"\n"} {end}'); \
31
-
do oc delete pods --all -n $I; \
32
-
sleep 1; \
33
-
done
34
-
----
26
+
If necessary, you can manually restart all pods in the cluster so that the holder will request a new bound token. Before doing this, wait for a new revision of the Kubernetes API server pods to roll out with your service account issuer changes.
35
27
====
36
28
37
29
.. Edit the `cluster` `Authentication` object:
@@ -50,6 +42,46 @@ spec:
50
42
----
51
43
<1> This value should be a URL from which the recipient of a bound token can source the public keys necessary to verify the signature of the token. The default is [x-]`https://kubernetes.default.svc`.
52
44
45
+
.. Save the file to apply the changes.
46
+
47
+
.. Optional: Manually restart all pods in the cluster so that the holder will request a new bound token.
48
+
49
+
... Wait for a new revision of the Kubernetes API server pods to roll out. It can take several minutes for all nodes to update to the new revision. Run the following command:
50
+
+
51
+
[source,terminal]
52
+
----
53
+
$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
54
+
----
55
+
+
56
+
Review the `NodeInstallerProgressing` status condition for the Kubernetes API server to verify that all nodes are at the latest revision. The output shows `AllNodesAtLatestRevision` upon successful update:
57
+
+
58
+
[source,terminal]
59
+
----
60
+
AllNodesAtLatestRevision
61
+
3 nodes are at revision 12 <1>
62
+
----
63
+
<1> In this example, the latest revision number is `12`.
64
+
+
65
+
If the output shows a message similar to one of the following messages, the update is still in progress. Wait a few minutes and try again.
66
+
67
+
**`3 nodes are at revision 11; 0 nodes have achieved new revision 12`
68
+
**`2 nodes are at revision 11; 1 nodes are at revision 12`
69
+
70
+
... Manually restart all pods in the cluster:
71
+
+
72
+
[WARNING]
73
+
====
74
+
Be aware that running this command causes a service interruption, because it deletes every running pod in every namespace. These pods will automatically restart after they are deleted.
75
+
====
76
+
+
77
+
[source,terminal]
78
+
----
79
+
$ for I in $(oc get ns -o jsonpath='{range .items[*]} {.metadata.name}{"\n"} {end}'); \
80
+
do oc delete pods --all -n $I; \
81
+
sleep 1; \
82
+
done
83
+
----
84
+
53
85
. Configure a pod to use a bound service account token by using volume projection.
54
86
55
87
.. Create a file called `pod-projected-svc-token.yaml` with the following contents:
0 commit comments