github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-20 18:31:15 +00:00
Code Issues Projects Releases Wiki Activity

handle new error where sa jwt issued in the future

Browse Source 
Signed-off-by: Max Goltzsche <max.goltzsche@gmail.com>
This commit is contained in:
Max Goltzsche 2023-03-02 03:14:50 +01:00
parent 031075d149
commit fa5e6587f1
No known key found for this signature in database
GPG Key ID: 364FA5A62B410BA4
1 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pkg/serviceaccount/claims.go
View File

@ -128,6 +128,9 @@ func (v *validator) Validate(ctx context.Context, _ string, public *jwt.Claims,
case jwt.ErrNotValidYet:
return nil, errors.New("service account token is not valid yet")
case jwt.ErrIssuedInTheFuture:
return nil, errors.New("service account token is issued in the future")
// our current use of jwt.Expected above should make these cases impossible to hit
case jwt.ErrInvalidAudience, jwt.ErrInvalidID, jwt.ErrInvalidIssuer, jwt.ErrInvalidSubject:
klog.Errorf("service account token claim validation got unexpected validation failure: %v", err)