I use kubeadm token create --print-join-command --ttl 0 to generate a token and then run the generated join command on my worker node. This generates a csr viewable with kubectl get csr.
After 37 days (first time I checked again might be earlier) the CSR is no longer returned from the API. I couldn't find any information about the automatic deletion of CSRs or their lifetime.
Anyone got some information about this and if there is a way to prevent the deletion?
kubeadm token create --print-join-command --ttl 0this command generate never expired token. run below command to list the token
kubeadm token listAfter I couldn't find anything in the documentation I looked at the source code and found the CSRCleanerController: https://github.com/kubernetes/kubernetes/blob/29b09c7fb1a8d38ab9df4873553cc0b8d97aae95/pkg/controller/certificates/cleaner/cleaner.go
In there it says:
CSRCleanerController is a controller that garbage collects old certificate signing requests (CSRs). Since there are mechanisms that automatically create CSRs, and mechanisms that automatically approve CSRs, in order to prevent a build up of CSRs over time, it is necessary to GC them.
CSRs will be removed if they meet one of the following criteria:
- the CSR is Approved with a certificate and is old enough to be past the GC issued deadline
- the CSR is denied and is old enough to be past the GC denied deadline
- the CSR is Pending and is old enough to be past the GC pending deadline, the CSR is approved with a certificate and the certificate is expired.
The times are not configurable and are: