Kubernetes Service Accounts secrets created at a fast pace #529
Comments
|
Hi, @kot0dama, can you confirm the juju version (2.9)? I don't think the charm itself should be creating secrets on Juju 2.9, so we should check if Patroni does so. |
|
Dear @kot0dama , is it still reproducible / topical? Tnx! |
Yes, the juju version was 2.9.49
As we are merely hosting the application running in our k8s cluster, I wouldn't know for sure. Afaik, the whole namespace has been removed by the team responsible for running it. |
|
Hi, The environment was cleaned up so unfortunately I don't have any more info to offer on this. |
Steps to reproduce
Expected behavior
The k8s cluster is not overwhelmed with a high amount of secrets.
Actual behavior
A number of secrets are created and never cleaned up. These secrets are Service Account Tokens, named like
model-exec-token-XXXXXwhereXXXXXis a random hexadecimal character.Versions
Operating system: Ubuntu bionic
Juju CLI: 2.9.49
Juju agent: 2.9.49
Charm revision: 158
charmed-kubernetes: 1.21.14
Juju debug log: not available when reporting this bug
Additional context
This was detected at the IS level (k8s cluster operator), we are not the owners of the applications running in that k8s cluster so I will ask the owners of the application to reply to this bug report.
We found out quite a lot of secrets were created, when prometheus alerted about disk space issues. This was probably caused by the cardinality of some
kube-state-metricsresulting of the secrets/SA creation pace.It would seem Kubernetes is able to purge unused SA tokens starting cluster version 1.29, but then the pace at which these are created is worrying. Per the prometheus history, about 12000 such secrets were created in about 10 days, which amounts for almost one service account/secret per minute.
The text was updated successfully, but these errors were encountered: