Merge pull request #207 from gauravpriyolkar/mintokenexpiration-to-ma…

…tch-kubernetes-minumum Adjust min serviceaccounttoken expiration to 10min
aws · Jan 30, 2024 · f9a3c33 · f9a3c33
2 parents 33a1516 + 02c8753
commit f9a3c33
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 3 deletions.
diff --git a/pkg/constants.go b/pkg/constants.go
@@ -18,8 +18,8 @@ const (
 	// Default token expiration in seconds if none is defined,
 	// which is 24hrs as that is max for EKS
 	DefaultTokenExpiration = int64(86400)
-	// 1hr is min for kube-apiserver
-	MinTokenExpiration = int64(3600)
+	// 10mins is min for kube-apiserver
+	MinTokenExpiration = int64(600)
 
 	// AWS SDK defined environment variables.
 	AwsEnvVarContainerCredentialsFullUri     = "AWS_CONTAINER_CREDENTIALS_FULL_URI"

diff --git a/pkg/handler/testdata/rawPodMinTokenExpiration.pod.yaml b/pkg/handler/testdata/rawPodMinTokenExpiration.pod.yaml
@@ -8,7 +8,7 @@ metadata:
     testing.eks.amazonaws.com/serviceAccount/audience: "sts.amazonaws.com"
     testing.eks.amazonaws.com/handler/injectSTS: "true"
     testing.eks.amazonaws.com/handler/region: "cn-north-1"
-    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes","value":[{"name":"aws-iam-token","projected":{"sources":[{"serviceAccountToken":{"audience":"sts.amazonaws.com","expirationSeconds":3600,"path":"token"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_REGION","value":"cn-northwest-1"},{"name":"AWS_STS_REGIONAL_ENDPOINTS","value":"regional"},{"name":"AWS_ROLE_ARN","value":"arn:aws-cn:iam::111122223333:role/s3-reader"},{"name":"AWS_WEB_IDENTITY_TOKEN_FILE","value":"/var/run/secrets/eks.amazonaws.com/serviceaccount/token"}],"resources":{},"volumeMounts":[{"name":"aws-iam-token","readOnly":true,"mountPath":"/var/run/secrets/eks.amazonaws.com/serviceaccount"}]}]}]'
+    testing.eks.amazonaws.com/expectedPatch: '[{"op":"add","path":"/spec/volumes","value":[{"name":"aws-iam-token","projected":{"sources":[{"serviceAccountToken":{"audience":"sts.amazonaws.com","expirationSeconds":600,"path":"token"}}]}}]},{"op":"add","path":"/spec/containers","value":[{"name":"balajilovesoreos","image":"amazonlinux","env":[{"name":"AWS_REGION","value":"cn-northwest-1"},{"name":"AWS_STS_REGIONAL_ENDPOINTS","value":"regional"},{"name":"AWS_ROLE_ARN","value":"arn:aws-cn:iam::111122223333:role/s3-reader"},{"name":"AWS_WEB_IDENTITY_TOKEN_FILE","value":"/var/run/secrets/eks.amazonaws.com/serviceaccount/token"}],"resources":{},"volumeMounts":[{"name":"aws-iam-token","readOnly":true,"mountPath":"/var/run/secrets/eks.amazonaws.com/serviceaccount"}]}]}]'
     # Pod Annotation
     eks.amazonaws.com/token-expiration: "0"
 spec: