A temporary token can be generated using:
GET /apis/token.kubevirt.io/v1/namespaces/${VMI_NAMESPACE}/virtualmachines/${VMI_NAME}/vnc
Where ${VMI_NAMESPACE} and ${VMI_NAME} are the namespace
and name of a running VMI.
duration- Duration while the token is valid. If it is not specified, then the token will expire after 10 minutes. The minimumdurationvalue is 10 minutes, and there isn't a maximum value. Its format is described in the golang library documentation here:
A duration string is a possibly signed sequence of decimal numbers, each with optional fraction and a unit suffix, such as
300ms,-1.5hor2h45m. Valid time units arens,us(orµs),ms,s,m,h.
Result is a JSON object containing the token:
{ "token": "eyJhb..." }curl --header "Authorization: Bearer ${KUBERNETES_USER_TOKEN}" \
"https://${K8S_API_URL}/apis/token.kubevirt.io/v1/namespaces/${VMI_NAMESPACE}/virtualmachines/${VMI_NAME}/vnc?duration=${DURATION}"In this example, we use a bearer token to authenticate the user with the Kubernetes API server. Kubernetes supports two main ways of authentication, token and TLS client certificates. Additional methods can be configured using the authenticating proxy. More information is in the documentation.
If the user is logged in using a token, then the token can be retrieved using:
KUBERNETES_USER_TOKEN=$(oc whoami -t)Revoking a single token is not possible.
All tokens associated with a VM can be revoked by deleting the ServiceAccount that was created for generating them.
It is in the same namespace as the VM, its name is ${VM_NAME}-vnc-access, and it has ownerReference set to the VM.
kubectl delete serviceaccount --namespace "${VM_NAMESPACE}" "${VM_NAME}-vnc-access"