Support for BoundServiceAccountTokenVolume refresh token

[hugomcfonseca]

Feature Request

Support to automatically refresh token of the Kubernetes ServiceAccount to avoid hitting authentication issues related to expired ServiceAccount token.

Proposal:

In theory, using the latest version of kubernetes/client-go should resolve this issue. More info here: https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html#service-account-tokens.

Use case:

https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html#service-account-tokens

Additional info:

• Cloud Provider: AWS (EKS)
• K8s version: 1.21

For authentication in Kubernetes API, we use the following:

> k get cm -n monitoring telegraf-daemonset -o yaml | rg -A3 "inputs.kubernetes"
    [[inputs.kubernetes]]
      url = "https://$HOSTIP:10250"
      bearer_token = "/run/secrets/kubernetes.io/serviceaccount/token"
      insecure_skip_verify = true

[powersj]

Thanks for filing this!

We are going to need to do some investigation as to what needs to change in Telegraf. We currently pull in k8s.io/client-go v0.23.3, so I'm unclear if there is something else we need to do or be doing differently.

[hugomcfonseca]

@powersj just to give an update, I have try to change the bearer token to /var/run/secrets/kubernetes.io/serviceaccount/token instead. Although, without success as after an hour, I noticed that telegraf pods still uses an old token after checking it in Cloudwatch EKS audit logs.

This was part of what I read here.

[iliars29]

I have same issue as @hugomcfonseca. It seems that bearer_token is only read once, when telegraf starts, I can see that /var/run/secrets/kubernetes.io/serviceaccount/token is refreshed every hour, but telegraf is still using the "expired" token.

Probably needs that telegraf reloads that token every hour or with a new parameter that indicates how often to reload it.

[hugomcfonseca]

@powersj is there any news on this topic? EKS 1.20 is getting closer to the AWS EOL, and EKS 1.21 will be sooner the minimum version supported by AWS.

[iliars29]

I wrote a simple liveness script that checks if token has renewed, if renewed launch telegraf reload with "pkill -1".

That fixed the problem for me.

[powersj]

@hugomcfonseca can you share the error message you get from Telegraf so I know where it is erroring out and what type of error you get? I think it is the call to gathePodInfo but I want to be sure and see what error comes back.

If it is specific to auth, we could update our logic to re-read the file.

Thanks

[hugomcfonseca]

@powersj as of today, I do not have an error on telegraf logs regarding this. Since we use EKS 1.21, it will require that telegraf pods lasts at least 90 days so that it (theoretically) returns an auth error, and that's because of an AWS-specific implementation that extends the lifetime of the ServiceAccount token as it stands:

For Amazon EKS clusters, the extended expiry period is 90 days. Your Amazon EKS cluster's Kubernetes API server rejects requests with tokens older than 90 days

ref: https://docs.aws.amazon.com/eks/latest/userguide/service-accounts.html#service-account-tokens

I was able to check that token is renewed every hour in the telegraf pods, and check the associated iss and exp fields. To obtain the token, I just ran:

kubectl exec -it -n monitoring <telegraf_podname> -- cat /var/run/secrets/kubernetes.io/serviceaccount/token

And then, I have just decoded it at https://jwt.io/.

---

EDIT:

It seems that an older token is just being reused when using the kube_inventory. I was able to check by correlating with the pod IP, and they all came from the same one that I use to scrape Kubernetes API metrics using https://github.com/influxdata/telegraf/blob/02dd7c17521c470966510bc2318216ecb4922f9c/plugins/inputs/kube_inventory/README.md.

[powersj]

For kube_inventory, telegraf reads the file during init when the plugin is first created as you point out. The token is passed as a string to the k8s client via BearerToken when the client is also created during init.

Looking at the k8s config code it makes it clear, that tokens passed in directly are not attempted to be refreshed. While passing in a token file is periodically read.

My proposal then is:

1. If the Telegraf config option BearerToken is set then we create the K8s client using BearerTokenFile rather than reading the file in Telegraf
2. If the Telegraf config option BearerTokenString is set, create the client using BearerToken and print an info level log message that no attempt to refresh the token will be made
3. Deprecate the Telegraf config option BearerTokenString option
4. If neither are set, we continue to use the default serviceaccount location, but create the K8s client using BearerTokenFile
5. Update the config file with an explanation about refresh requiring a file location

The same steps will be required for both kubernetes and kube_inventory plugins.

The prometehus plugin may also need updates of somesort as there is a similar config option there, but let's see if this even works here first.