1. Rancher Labs
  2. Announcements
  3. Operational

Rancher Operational Advisory: Take Action > MAX TTL setting for API keys and kubeconfig tokens in Rancher v2.4.6+

Follow
Avatar
Bala Gopalan
Table of Contents

Dear Rancher 2.x user,

This is an operational advisory from Rancher Support for users of Rancher 2.x to take appropriate action.

Rancher released the following two versions recently:

Rancher Version Release Date Release Notes Support Matrix Default k8s version
v2.4.7 Sep 01, 2020 Release Notes Support Matrix v1.18.6
v2.4.6 Aug 27, 2020 Release Notes Support Matrix v1.18.6

New global setting, auth-token-max-ttl-minutes

In Rancher v2.4.6, a new global setting, i.e. auth-token-max-ttl-minutes, was introduced to allow admins to set an expiration on any API tokens created for Rancher. This is the max TTL setting allowed on API keys and kubeconfig tokens. When creating an API key, users have the ability to set their own TTL, but the maximum TTL is now derived from this new global setting.

In v2.4.6, by default, the value of this global setting is 24 hours. Any new API key that is set to “Never Expire” would now expire after 24 hours due to this default value.

In the previous Rancher installs, users could define an API key to never expire and there was no maximum TTL that could override it.

What you need to know about this new setting in v2.4.6

If you have upgraded to v2.4.6 and need to allow users to create new API keys that never expire, take the following action:

  • Update the global setting, auth-token-max-ttl-minutes, to 0.
  • This will allow all API tokens to exist indefinitely.

And, how it has been changed in v2.4.7

In Rancher v2.4.7, the default value for this new global setting has been changed to 0. After upgrading to this version, admins can configure their max TTL setting for their Rancher setups to match their needs.

Note

  • The default value of the auth-token-max-ttl-minutes global setting is the only change between Rancher v2.4.6 and v2.4.7.  The change was made to maintain the default behavior of token expiry in Rancher versions 2.4.5 and lower.
  • If you are in a Rancher version lower than v2.4.6 and considering an upgrade, it is recommended to upgrade to v2.4.7 instead.

Questions?

Simply submit a request via this portal referencing this article and we will track and respond to your question as a Support Ticket.

Thanks

Rancher Support Team

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Article is closed for comments.