Question

Can I stop my kubeconfig file from expiring every 7 days?

We have an application that makes pod deployments to the Kubernetes cluster, but it started failing a week later saying “Unauthorized”. I noticed it’s because the config file on DigitalOcean is being reset. How can I work around this? We register the cluster to this application using the config file, but we can’t be changing it every week.

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

clennJanuary 15, 2019
Accepted Answer

you could make a cronjob once a week downloading the new kubeconfig file trough doctl

with a command like this:

 doctl kubernetes cluster kubeconfig show INSERT_CLUSTER_ID > ~/.kube/YOURKUBECONFIGNAME.yaml

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

negrustiJanuary 5, 2019

Same question, looks like a showstopper for us - can’t use DO Kubernetes until this is resolved

nevothelessMarch 4, 2019

Relevant: https://www.digitalocean.com/docs/kubernetes/overview/#known-issues

The certificate authority, client certificate, and client key data in the kubeconfig.yaml file are rotated weekly. If you run into errors like the server doesn’t have a resource type “<resource>”, Unauthorized, or Unknown resource type: nodes, try downloading a new cluster configuration file. The certificates will be valid for one week from the time of the download.

I talked to support about this, and it seems that they classified this as an actual Issue their engineers are working on. Also this apperantely is probably one of many blockers for Kubernetes Services getting out of LTD.

dmargraveJanuary 16, 2019

so here is what i did - a simple script to grant the default service account cluster-admin role. i am not guaranteeing this is secure or anything - use at your own risk. let’s see if markdown works fora code block here in the comments.

#!/bin/bash


NAMESPACE=default
SA_NAME=default
CRB_NAME=sa-admin
CONTEXT=digitalocean # this is not the default I edited my kubeconfig after download

cat > /tmp/clusterrolebinding.yaml <<EOF
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: ${CRB_NAME}
subjects:
  - kind: ServiceAccount
    name: ${SA_NAME}
    namespace: ${NAMESPACE}
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
EOF

kubectl create -f /tmp/clusterrolebinding.yaml

SECRET_ID=$(kubectl get secrets --namespace $NAMESPACE | awk "/$SA_NAME/"'{print $1}')
TOKEN=$(kubectl get secrets $SECRET_ID -n $NAMESPACE -o json | jq '.data.token' | tr -d '"' | base64 -D)

kubectl config set-credentials $SA_NAME --token=$TOKEN
kubectl config set-context ${CONTEXT} --user ${SA_NAME} --namespace ${NAMESPACE}

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up