WorkloadManager caches user Kubernetes clients by namespace + service account name, but the cache lookup ignores the current bearer token.
So if the same service account comes in with a different token, GetOrCreateUserK8sClient still returns the old cached client. That client was built with the old BearerToken.
This is bad for token rotation/replacement. The request has already authenticated with the new token, but the actual Kubernetes operation may still use the old one.
Steps to reproduce:
- Create a K8sClient with a ClientCache and base rest.Config.
- Call GetOrCreateUserK8sClient("first-token", "default", "runner").
- Call GetOrCreateUserK8sClient("second-token", "default", "runner").
- Compare the returned clients.
Actual:
Both calls return the same cached UserK8sClient.
Expected:
A token change should create/update the cached client, or the cache should include/check the token before reuse.
Files:
- pkg/workloadmanager/client_cache.go
- pkg/workloadmanager/k8s_client.go
Probably fix is to store the token or token hash in ClientCache entries and make Get check it before returning the cached client. Add tests for same SA + changed token.
WorkloadManager caches user Kubernetes clients by namespace + service account name, but the cache lookup ignores the current bearer token.
So if the same service account comes in with a different token, GetOrCreateUserK8sClient still returns the old cached client. That client was built with the old BearerToken.
This is bad for token rotation/replacement. The request has already authenticated with the new token, but the actual Kubernetes operation may still use the old one.
Steps to reproduce:
Actual:
Both calls return the same cached UserK8sClient.
Expected:
A token change should create/update the cached client, or the cache should include/check the token before reuse.
Files:
Probably fix is to store the token or token hash in ClientCache entries and make Get check it before returning the cached client. Add tests for same SA + changed token.