I use .kube/config to access Kubernetes api on a server. I am wondering does the token in config file ever get expired? How to prevent it from expire?
Yes, it will be expired after one year. Automatic certificate renewal feature is the default on kubernetes 1.15 version unless you have explicitly disabled it during the kubeadm init phase with --certificate-renewal=false option.
Check expiration:
kubeadm alpha certs check-expirationE.g.
CERTIFICATE EXPIRES RESIDUAL TIME EXTERNALLY MANAGED
admin.conf Sep 06, 2020 04:34 UTC 361d no
apiserver Sep 06, 2020 04:34 UTC 361d no
apiserver-etcd-client Sep 06, 2020 04:34 UTC 361d no
apiserver-kubelet-client Sep 06, 2020 04:34 UTC 361d no
controller-manager.conf Sep 06, 2020 04:34 UTC 361d no
etcd-healthcheck-client Sep 06, 2020 04:34 UTC 361d no
etcd-peer Sep 06, 2020 04:34 UTC 361d no
etcd-server Sep 06, 2020 04:34 UTC 361d no
front-proxy-client Sep 06, 2020 04:34 UTC 361d no
scheduler.conf Sep 06, 2020 04:34 UTC 361d no
Renew all certifications:
kubeadm alpha certs renew allRenew only admin.conf:
kubeadm alpha certs renew admin.conf
cp -i /etc/kubernetes/admin.conf $HOME/.kube/configThis is OAuth provider specific. For example GKE uses this.
So in short, auth provider issues you a JWT token a proof you are auth, which contains a data like expiration time, according to documentation it cannot be more than 60 min in case of google accounts.
I hope it helps.
the solution is to use kubernetes service account