Last Modified: Nov 22, 2025
Affected Product(s):
F5OS F5OS-A
Known Affected Versions:
F5OS-A 1.5.1, F5OS-A 1.5.2, F5OS-A 1.7.0, F5OS-A 1.8.0, F5OS-A 1.8.3
Fixed In:
F5OS-A 1.5.3
Opened: Oct 10, 2024 Severity: 2-Critical
Expiry of service account token inside multus pod causes tenant startup to fail. Tenant fails to deploy and the tenant status ('show tenants') reads: Not ready: containers with unready status: [compute] There are numerous entries similar to the following in /var/log/messages: "Unable to authenticate the request" err="[invalid bearer token, Token has expired.]" Note: Tenant will only be impacted if/after it is changed to configured or provisioned and then it is deployed again.
After one year, token in the multus.kubeconfig becomes stale (expired). As a result, when Multus tries to access the Kubernetes API server using the stale token in the multus.kubeconfig, it may fail with authentication errors because the token is no longer valid.
-- Multus.kubeconfig is not recreated or updated when the service account token in /var/run/secrets/kubernetes.io/serviceaccount/token is renewed. -- Even though the token is renewed, the token is still valid for a year in multus.kubeconfig
Workaround(1): Impact of procedure: Performing the following procedure should not have a negative impact on your system. Delete the multus pod by logging into the system as root and running the following command: kubectl -n kube-system delete pod -l app=multus The system will delete the running pod and create a new one. This will refresh the token for the next one year. Workaround(2): Impact of procedure: Tenants will be temporarily unavailable during this process. Rebooting the device will refresh the token.
None