Skip to content

fix(core): Handle K8s service account token rotation#2496

Open
AryanBakliwal wants to merge 1 commit intokubearmor:mainfrom
AryanBakliwal:fix-sa-token-rotation
Open

fix(core): Handle K8s service account token rotation#2496
AryanBakliwal wants to merge 1 commit intokubearmor:mainfrom
AryanBakliwal:fix-sa-token-rotation

Conversation

@AryanBakliwal
Copy link
Member

@AryanBakliwal AryanBakliwal commented Mar 12, 2026
edited
Loading

Purpose of PR?:
Use BearerTokenFile in client config, which is set to the path to a file containing BearerToken. The contents of the file are periodically read and the last successfully read value takes precedence over BearerToken.

Fixes #2262

Does this PR introduce a breaking change?
No

If the changes in this PR are manually verified, list down the scenarios covered:
Using a local k3s cluster and setting token expiration time to 1 hour. See timestamp in logs:

Before
After ~1 hour, the token expires and requests to API server return unauthorized

$ kubectl logs -n kubearmor kubearmor-bpf-containerd-2c350-5z8tf 

2026-03-12 16:46:35.651297	INFO	BUILD-INFO: version: v1.6.8-dirty, branch: HEAD, date: 2026-02-04T09:57:14Z
...
2026-03-12 16:46:35.659895	INFO	Initialized Kubernetes client
...
2026-03-12 17:48:03.890848	INFO	[ProtectProc] deleting container with id to protectProc_map exec map: 708e36794693dde1bc8b2cec90830e08b4ccd26ca76811c3c35cab95157beb27

E0312 17:48:33.107939       1 reflector.go:205] "Failed to watch" err="failed to list *v1.ConfigMap: Unauthorized" logger="UnhandledError" reflector="pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290" type="*v1.ConfigMap"
E0312 17:49:25.584014       1 reflector.go:205] "Failed to watch" err="failed to list *v1.ConfigMap: Unauthorized"
...

After
KubeArmor pod running for >1.5 hour, working as expected

$ kubectl get pods -n kubearmor                                                                                                                                   

NAME                                    READY   STATUS    RESTARTS   AGE
kubearmor-bpf-containerd-2c350-d4jzf    1/1     Running   0          91m
kubearmor-controller-6cff7cdcb8-gx9d9   1/1     Running   0          91m
kubearmor-operator-574f9967ff-hkx65     1/1     Running   0          93m
kubearmor-relay-6f5445f967-nt89m        1/1     Running   0          92m

$ kubectl logs -f -n kubearmor kubearmor-bpf-containerd-2c350-d4jzf

2026-03-12 18:30:19.219019	INFO	BUILD-INFO: version: v1.6.14-dirty, branch: fix-sa-token-rotation, date: 2026-03-12T17:56:24Z
...
2026-03-12 18:30:19.221908	INFO	Initialized Kubernetes client
...
2026-03-12 20:04:03.864832	INFO	Namespace pentestit visibiliy configured {File:true Process:true Network:true Capabilities:true DNS:false IMA:false}

Additional information for reviewer? :
Mention if this PR is part of any design or a continuation of previous PRs

Checklist:

  • Bug fix. Fixes KubeArmor daemonset losing auth. to K8s API after 24 hours #2262
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update
  • PR Title follows the convention of <type>(<scope>): <subject>
  • Commit has unit tests
  • Commit has integration tests

@AryanBakliwal AryanBakliwal force-pushed the fix-sa-token-rotation branch from eb077bc to 28ab06f Compare March 12, 2026 20:08
@AryanBakliwal AryanBakliwal moved this to P1- PR Ready for review in Release v1.6 Mar 12, 2026
@AryanBakliwal AryanBakliwal force-pushed the fix-sa-token-rotation branch from 28ab06f to d83ba36 Compare March 12, 2026 20:20
rksharma95
rksharma95 previously approved these changes Mar 13, 2026
View reviewed changes
achrefbensaad
achrefbensaad previously approved these changes Mar 13, 2026
View reviewed changes
@AryanBakliwal
refactor(core): use controller-runtime for k8s client
c4a6eab 
Signed-off-by: Aryan Bakliwal <aryanbakliwal12345@gmail.com>
@AryanBakliwal AryanBakliwal dismissed stale reviews from achrefbensaad and rksharma95 via c4a6eab March 18, 2026 11:49
@AryanBakliwal AryanBakliwal force-pushed the fix-sa-token-rotation branch from d83ba36 to c4a6eab Compare March 18, 2026 11:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rksharma95 rksharma95 rksharma95 approved these changes

@Aryan-sharma11 Aryan-sharma11 Awaiting requested review from Aryan-sharma11

@achrefbensaad achrefbensaad Awaiting requested review from achrefbensaad

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Release v1.6
Status: P1- PR Ready for review

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

KubeArmor daemonset losing auth. to K8s API after 24 hours

3 participants

@AryanBakliwal @achrefbensaad @rksharma95