https://rancher.com/ logo
#general
Title
# general
a

adamant-kite-43734

05/02/2023, 1:58 PM
This message was deleted.
a

alert-traffic-48134

05/02/2023, 3:32 PM
Found a workaround myself : i disabled the FG : LegacyServiceAccountTokenTracking=false
m

melodic-wolf-74801

07/18/2023, 1:08 PM
Where did you deploy this?
a

alert-traffic-48134

07/18/2023, 1:12 PM
In my control-plane configuration. (Sorry , its not a cluster deployed by Rancher. I’ve deploy Kubernetes myself using TalosOS, and then added it to Rancher to have a better user management)
It’s kubernetes feature Gate
m

melodic-wolf-74801

07/18/2023, 1:13 PM
I have my control-plane in Digitialocean
I don’t believe that I have access to the control-plane’s config
a

alert-traffic-48134

07/18/2023, 1:13 PM
You may want to check with the support if they can add these kind of customisation
m

melodic-wolf-74801

07/18/2023, 1:25 PM
Do I understand correctly that this warning message is bc the authentication between rancher and the cluster is token based secret instead of a client certificate ?
a

alert-traffic-48134

07/18/2023, 1:27 PM
It’s because my kubernetes installation created automatically a secret for earch serviceaccount created. And kubectl (i guess) detect that and raise a Warning
m

melodic-wolf-74801

07/18/2023, 1:28 PM
It happens when I try to access my cluster via rancher and not directly using the client config
when I access it directly this warning message doesn’t get raised
a

alert-traffic-48134

07/18/2023, 1:30 PM
it’s been a while when i’ve dive into this issue. But i’m pretty sure that all secret are scanned, and if they belong to a serviceaccount , the warning is raised. On kubernetes 1.27
Or maybe, it’s because my user (the rancher one) used has a secret (associated with the serviceAccount) which is “legacy”. Kubernetes add this labels for those users :
Copy code
labels:
    <http://kubernetes.io/legacy-token-last-used|kubernetes.io/legacy-token-last-used>: "2023-04-28"
When this labels exist, the warning is raised. But you are right, it may be the case only if we use a Rancher user.
And i have’nt found any solution to change the way Rancher generate the secret, so i’ve disabled the FeatureGate in Kubernetes control plane
m

melodic-wolf-74801

07/18/2023, 1:37 PM
Gonna make a new post about it. Hopefully there are now more people that are trying 1.27.
a

alert-traffic-48134

07/18/2023, 1:37 PM
Yes sure, and also few month ago , rancher wasn’t officially compatible with 1.27. What do you mean by a new post ?
Oh ok in the general channel 😉
m

melodic-wolf-74801

07/18/2023, 1:38 PM
here on slack
yes
ah possible that I have to update my rancher 🤔
hm, looks like rancher 2.7.5 is not certified yet with v1.26.
a

alert-traffic-48134

07/18/2023, 1:40 PM
Yes even 2.7
We have a lot a cluster base on rancher 2.6, we are migration to 2.7 but. Rancher 2.6 allow k8s 1.24, then upgrade rancher server to 2.7 to push k8s to 1.26)
1175 Views