Skip to content

Expose Gardenlet Configuration Used to Control the Duration of Requested Workload Identity Tokens #13669

New issue
New issue
Open
Open
Expose Gardenlet Configuration Used to Control the Duration of Requested Workload Identity Tokens#13669
Labels
area/disaster-recoveryDisaster recovery relatedarea/ipceiIPCEI (Important Project of Common European Interest)area/robustnessRobustness, reliability, resilience relatedarea/securitySecurity relatedkind/enhancementEnhancement, improvement, extension
@dimityrmirchev

Description

@dimityrmirchev
dimityrmirchev
opened on Dec 16, 2025

How to categorize this issue?

/area security disaster-recovery robustness
/kind enhancement

What would you like to be added:
As of now users cannot configure the expiration of workload identity which is set to 6 hours.

gardener/pkg/gardenlet/controller/tokenrequestor/workloadidentity/reconciler.go

Lines 28 to 31 in df9ffd2

const (
maxExpirationDuration = 24 * time.Hour
expirationDuration = 6 * time.Hour // short enough to be secure and long enough to be resilient to disruptions
)

Tokens are renewed when the token reaches ~80% of its lifespan.

gardener/pkg/gardenlet/controller/tokenrequestor/workloadidentity/reconciler.go

Lines 138 to 145 in df9ffd2

func (r *Reconciler) renewDuration(expirationTimestamp time.Time) time.Duration {
expirationDuration := expirationTimestamp.UTC().Sub(r.Clock.Now().UTC())
if expirationDuration >= maxExpirationDuration {
expirationDuration = maxExpirationDuration
}
return r.JitterFunc(expirationDuration*80/100, 0.05)
}

It can be beneficial if operators of a Gardener system can configure the expiration for such tokens in order to mitigate the risk mentioned below.

Why is this needed:
In case the Garden cluster is not reachable for a longer period of time because of a datacenter failure or other force majeure reason the gardenlets would not be able to request workload identity tokens. This will lead to eventually blocking cloud operations such as provisioning of hardware, reconciliation of existing cloud infrastructure. That can be especially bad for example, for clusters that rely on scale up behaviour (provisioning of new nodes).

This risk is not present if users configure static credentials for Gardener to cloud infrastructure provider communication as the credentials never expire.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/disaster-recoveryDisaster recovery relatedarea/ipceiIPCEI (Important Project of Common European Interest)area/robustnessRobustness, reliability, resilience relatedarea/securitySecurity relatedkind/enhancementEnhancement, improvement, extension

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions