From fa5e6587f1a84b7b02af01c8fa52f984b519de9a Mon Sep 17 00:00:00 2001 From: Max Goltzsche Date: Thu, 2 Mar 2023 03:14:50 +0100 Subject: [PATCH] handle new error where sa jwt issued in the future Signed-off-by: Max Goltzsche --- pkg/serviceaccount/claims.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/pkg/serviceaccount/claims.go b/pkg/serviceaccount/claims.go index a6889d28293..76bb8b10cd9 100644 --- a/pkg/serviceaccount/claims.go +++ b/pkg/serviceaccount/claims.go @@ -128,6 +128,9 @@ func (v *validator) Validate(ctx context.Context, _ string, public *jwt.Claims, case jwt.ErrNotValidYet: return nil, errors.New("service account token is not valid yet") + case jwt.ErrIssuedInTheFuture: + return nil, errors.New("service account token is issued in the future") + // our current use of jwt.Expected above should make these cases impossible to hit case jwt.ErrInvalidAudience, jwt.ErrInvalidID, jwt.ErrInvalidIssuer, jwt.ErrInvalidSubject: klog.Errorf("service account token claim validation got unexpected validation failure: %v", err)