will .kube/config token expired

9/11/2019

I use .kube/config to access Kubernetes api on a server. I am wondering does the token in config file ever get expired? How to prevent it from expire?

-- cometta
kubernetes
kubernetes-apiserver

3 Answers

9/11/2019

Yes, it will be expired after one year. Automatic certificate renewal feature is the default on kubernetes 1.15 version unless you have explicitly disabled it during the kubeadm init phase with --certificate-renewal=false option.

Check expiration:

    kubeadm alpha certs check-expiration

E.g.

CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED

admin.conf Sep 06, 2020 04:34 UTC 361d no
apiserver Sep 06, 2020 04:34 UTC 361d no
apiserver-etcd-client Sep 06, 2020 04:34 UTC 361d no
apiserver-kubelet-client Sep 06, 2020 04:34 UTC 361d no
controller-manager.conf Sep 06, 2020 04:34 UTC 361d no
etcd-healthcheck-client Sep 06, 2020 04:34 UTC 361d no
etcd-peer Sep 06, 2020 04:34 UTC 361d no
etcd-server Sep 06, 2020 04:34 UTC 361d no
front-proxy-client Sep 06, 2020 04:34 UTC 361d no
scheduler.conf Sep 06, 2020 04:34 UTC 361d no

Renew all certifications:

  kubeadm alpha certs renew all

Renew only admin.conf:

  kubeadm alpha certs renew admin.conf
  cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
-- Subramanian Manickam
Source: StackOverflow

9/17/2019

This is OAuth provider specific. For example GKE uses this.

So in short, auth provider issues you a JWT token a proof you are auth, which contains a data like expiration time, according to documentation it cannot be more than 60 min in case of google accounts.

I hope it helps.

-- OhHiMark
Source: StackOverflow

9/17/2019

the solution is to use kubernetes service account

-- cometta
Source: StackOverflow