-
Notifications
You must be signed in to change notification settings - Fork 30
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Implement TLS for interactions between agent and manager #19
Conversation
internal/agent/agent.go
Outdated
@@ -117,7 +117,7 @@ func NewAgent( | |||
stopCh: stopCh, | |||
log: log, | |||
} | |||
|
|||
varmorutils.InitAndStartTokenRotation(time.Hour, log) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours."
We should check and reload the token more frequently. How about 5 minutes? I'm not sure if there are any best practices. Or we can just reload the token when the server returns 401.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm willing to change the token refresh interval to 5 minutes. The reason is that while the default interval is 7200 seconds (2 hours), a shorter interval can enhance security.
func updateToken(filePath string, logger logr.Logger) { | ||
newToken, err := os.ReadFile(filePath) | ||
if err != nil { | ||
logger.Error(err, "update agent bind token error") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a fatal error. Perhaps we should consider restarting the agent immediately?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will use os.Exit instead to fix it.
defer httpRsp.Body.Close() | ||
if httpRsp.StatusCode == http.StatusOK { | ||
return nil | ||
} else { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe we need to reload the token if the service returns 401.
tr := &authv1.TokenReview{ | ||
Spec: authv1.TokenReviewSpec{ | ||
Token: token, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"If no audiences are provided, the audience will default to the audience of the Kubernetes apiserver."
It is necessary to explicitly declare audiences.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Understood, I will make the modifications.
No description provided.