Illumina Innovates with Rancher and Kubernetes
By default, some cluster-level API tokens are generated with infinite time-to-live (ttl=0). In other words, API tokens with ttl=0 never expire unless you invalidate them. Tokens are not invalidated by changing a password.
You can deactivate API tokens by deleting them or by deactivating the user account.
To delete a token,
Go to the list of all tokens in the Rancher API view at https://<Rancher-Server-IP>/v3/tokens.
Access the token you want to delete by its ID. For example, https://<Rancher-Server-IP>/v3/tokens/kubectl-shell-user-vqkqt
Here is the complete list of tokens that are generated with ttl=0:
Available as of v2.4.6
Starting Rancher v2.4.6, admins can set a global TTL on Kubeconfig tokens. Once the token expires the kubectl command will require the user to authenticate to Rancher.
Disable the kubeconfig-generate-token setting in the Rancher API view at https://<Rancher-Server-IP/v3/settings/kubeconfig-generate-token. This setting instructs Rancher to no longer automatically generate a token when a user clicks on download a kubeconfig file. The kubeconfig file will now provide a command to login to Rancher.
Edit the setting and set the value to false.
Go to setting kubeconfig-token-ttl-minutes in the Rancher API view at https://<Rancher-Server-IP/v3/settings/kubeconfig-token-ttl-minutes. By default, kubeconfig-token-ttl-minutes is 960 (16 hours).
Edit the setting and set the value to desired duration in minutes.
Note: This value cannot exceed max-ttl of API tokens.(https://<Rancher-Server-IP/v3/settings/auth-token-max-ttl-minutes). In Rancher v2.4.6, auth-token-max-ttl-minutes is set to 1440 (24 hours) by default. Starting Rancher v2.4.7, auth-token-max-ttl-minutes would default to 0 allowing tokens to never expire, similar to v2.4.5.