Client bundle expiration¶

Available as of MKE 3.9.0 MKE administrators can define how long a newly-generated client bundle remains valid. A bundle with a set expiration becomes invalid at the moment they reach the set time of expiration, after which it can no longer be used for authentication.

Client bundles that were generated before expiration settings were applied to the cluster remain valid for authentication until the expiry of their original certificate, if applicable. If you want older bundles to expire immediately, you can either manually invalidate or revoke these bundles, or you can disable them.

Set client bundle expiration¶

You control client bundle expiration through configuration parameters in the MKE configuration file. Note that these settings only affect bundles that are generated after these parameters are set.

To set or modify the expiration of client bundles:

Obtain the current MKE configuration file for your cluster.
Set the relevant configuration parameter to the desired time value.
- client_bundle_expiration, for regular users
- automation_client_bundle_expiration, for automation users
Upload the newly edited MKE configuration file to the cluster.

Verify the expiration timestamp¶

Inspect the certificate in the client bundle.
Confirm the presence of the NotAfter field for the configured expiration duration.

Automation users

You can identify Automation users by the is_automation=true tag on the user account. The settings for this tag, which can be applied either at the time of user or organization account creation or through an account update, override any expiration that is set for a regular user through the client_bundle_expiration setting.

To tag the user account to transform it to an automation user:

{
"tags": {
   "is_automation": "true"
}
}

Automation users are deployed for CI/CD pipelines, scripts, and service accounts. Thus, they require client bundle expirations that are long-term to avoid the breaking of automated workflows.