feat: Implement TLS for interactions between agent and manager #19
Conversation
internal/agent/agent.go
Outdated
| @@ -117,7 +117,7 @@ func NewAgent( | |||
| stopCh: stopCh, | |||
| log: log, | |||
| } | |||
|
|
|||
| varmorutils.InitAndStartTokenRotation(time.Hour, log) | |||
There was a problem hiding this comment.
"The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours."
We should check and reload the token more frequently. How about 5 minutes? I'm not sure if there are any best practices. Or we can just reload the token when the server returns 401.
There was a problem hiding this comment.
I'm willing to change the token refresh interval to 5 minutes. The reason is that while the default interval is 7200 seconds (2 hours), a shorter interval can enhance security.
| func updateToken(filePath string, logger logr.Logger) { | ||
| newToken, err := os.ReadFile(filePath) | ||
| if err != nil { | ||
| logger.Error(err, "update agent bind token error") |
There was a problem hiding this comment.
This is a fatal error. Perhaps we should consider restarting the agent immediately?
There was a problem hiding this comment.
I will use os.Exit instead to fix it.
| defer httpRsp.Body.Close() | ||
| if httpRsp.StatusCode == http.StatusOK { | ||
| return nil | ||
| } else { |
There was a problem hiding this comment.
Maybe we need to reload the token if the service returns 401.
| tr := &authv1.TokenReview{ | ||
| Spec: authv1.TokenReviewSpec{ | ||
| Token: token, | ||
| }, |
There was a problem hiding this comment.
"If no audiences are provided, the audience will default to the audience of the Kubernetes apiserver."
It is necessary to explicitly declare audiences.
There was a problem hiding this comment.
Understood, I will make the modifications.
No description provided.