How long are (LDAP) Groups valid in a generated token?


#1

I got a LDAP Backend integrated into Racher 2.1.1. From other Systems i’m missing configuration options for a Sync interval.
So when does Rachner actually sychronize the ldap groups & user details?

As far as i could test:

  • new LDAP groups will appear in the UI ( But not sure if they just got queried on the fly )
  • removing user from a LDAP group will revoke access, when he does a login in the ui, BUT:
  • it seems that the remove from ldap groups only happens on login of that user! Therefore as long as the user does not login again the generated Kubernetes Access token will be valid! Which basically means users leaving the company will have a valid token, probably forever?!

So the detail questions :

  • How or how often are the groups synchronized? Or how long do we have to wait until we will see a new created group in den ui?
  • How long are the generated cluster (kubeconfig) access token valid?
  • There is no background synchronisation of user & groups? -> meaning as long as a user does not login in the ui, the kubeconfig access token will be valid forever?