Kubernetes auth generates many lease revocations

Vault
,
1

We are using kubernetes auth method. The auth configuration is

$ vault read auth/ik8s/config
Key                                  Value
---                                  -----
disable_iss_validation               true
disable_local_ca_jwt                 false
issuer                               n/a
kubernetes_ca_cert                   -----BEGIN CERTIFICATE-----
<redacted>
-----END CERTIFICATE-----
kubernetes_host                      https://<redacted>:8443
pem_keys                             []
token_reviewer_jwt_set               false
use_annotations_as_alias_metadata    false

the role configuration is

$ vault read auth/ik8s/role/vaultissuer
Key                                         Value
---                                         -----
alias_name_source                           serviceaccount_uid
bound_service_account_names                 [vaultissuer]
bound_service_account_namespace_selector    n/a
bound_service_account_namespaces            [ns1 ns2 ns3]
token_bound_cidrs                           []
token_explicit_max_ttl                      0s
token_max_ttl                               0s
token_no_default_policy                     false
token_num_uses                              0
token_period                                0s
token_policies                              [policy1 policy2 policy3]
token_ttl                                   20m
token_type                                  default

We have audit logging enabled and we are getting ±28 auth requests per second to the auth/ik8s/role/vaultissuer path.
Is this common behaviour? The audit log quickly becomes huge.

Additionally I noticed in vault system logs

Dec 10 13:00:01 ipvault vault[7901]: 2024-12-10T13:00:01.969+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h6a8e5599ed4cf790322605097ecfb4ce0d140369ef802306ff509a822d5abd20
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.041+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h5d9e17f76cd9730feec464ec6b95b415035d4121f14ed54533816f98596a2bd2
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.145+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/hb4caf89d9fca8eb5d11f6c37349c6cb87977b8c91b3843515bec75013f38e4c0
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.146+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h5e6f85986f5d01ed5b0cac4f3539bf055eb04c19e8998d73e39dddb22f82963b
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.148+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/hd88ccf82be71735fde5027eccb1c2ba63e4662b8544d4196f664159f0cb89099
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.214+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h86fdeaa933308b1c74dc3bab8c7a16b15fc35c1827ced277e94594e4ca448ca9
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.266+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h42972c6ed27a46c7ec19f0405906357e75a2d997d3b79bd516636323a96ecbd6
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.268+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h85a8166bc52f59de4e29238ecc1d4cff7cdd8f2502eb021947a99535d30a8077
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.276+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h1400a52da56ed42bd4447db2060ba509f07338b81533509aae58c670cb389122
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.316+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h13551733286888f2f5609ee19ce2ce86a1ed48393eee8209245a3e608c509722
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.331+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/ha9450a3fde46bdf0fd3ea9e3e329a45824e98b29f454e6bd2ab4b3e97af5a3e4
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.403+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h4702a4e20bd59d8d70b8f36e816a2d54c070f31094a0ac6bd860696fcf0017f5
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.437+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h7397b54f603526f39fcd8696138b42c489359b0111ccf87550a7f47dded60720
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.443+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h6e8ee6b9959bb4eb145eae4d544fcca7b65a23345ee27c05203063137ec370a5
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.466+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h40c25bea5de241215ed1be453aaec4bfa4bb99c53ee7c3da3b17b3cef44a88c1
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.521+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h8914fda6100b5374e5ac74879fb6e848a3570cdc7644bdb9ab3e7237b1d1386e
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.528+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h6e5fc02015722a60dbf7b076a175602ee8bf0885df505692c71249b5cb714760
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.619+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h3651ff5e3e8fdbba5081fad417dc2b686828ccc72e3329e13b7085f4e43405e6
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.623+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h5b09041e9f91c111b5d2e7fd765871a7186a07ac744a11bc77534831def46c4c
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.667+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h6c27b690332044295dacb76f2ad4cab4ab7e92bbdf68051c0d3b403b5383c7d0
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.671+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h139c89b83ac1f2f8e0347cfe096b0ef04789aa31ec9e98d3ddf151a90284e5fb
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.731+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h308086e7fc6e9299ea873df2c475bf33843b517f66a6a31f018f91c9db8e8f66
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.806+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/haa5475d90045d25a87bfab6e62d25cc895ff4a671fcb664d5972291dccaa19cc
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.821+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h7fc068c0c2abe903db7c7869f44bd5e18b0c3a47214cecabb66a501e6161b78b
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.915+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/hce7aae547664329792fa72d008eb1af18037cab2481e72e25d55db84821b7338
Dec 10 13:00:02 ipvault vault[7901]: 2024-12-10T13:00:02.982+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h48c39fcfc415ab53f4eb8557a5c2db083561bd45eb67d7f36e6d5146c9e924f0
Dec 10 13:00:03 ipvault vault[7901]: 2024-12-10T13:00:03.058+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/hbedcbdc1eb1435efe87f2a775ab4c0ebf165996056a00dfad9851ab6d21ac126
Dec 10 13:00:03 ipvault vault[7901]: 2024-12-10T13:00:03.705+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h6824125cc030415488bf3b4913f9938905456a2ecae329185f86ae118433aff1
Dec 10 13:00:03 ipvault vault[7901]: 2024-12-10T13:00:03.753+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h6ec5ff692a81f816bdfb8ecd179a0b00d97cb02cdc2ac54ad0da9ac550e2d4a9
Dec 10 13:00:03 ipvault vault[7901]: 2024-12-10T13:00:03.859+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h61b43ce858b6881f7a1fbef198101b96436dab490264cd2239df18a7b489e959
Dec 10 13:00:03 ipvault vault[7901]: 2024-12-10T13:00:03.867+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/hbddab953c7109dc24f36dcaad38dfe697175100f229949995eb8bb25a6b26c8d
Dec 10 13:00:03 ipvault vault[7901]: 2024-12-10T13:00:03.919+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/hfee0f1240f19ca58e7a4ec345727f6e16995e253fe7b26d3d120ee1754820d5b
Dec 10 13:00:03 ipvault vault[7901]: 2024-12-10T13:00:03.925+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h7622d21da8cdcdbf6d2c301ec848df2a72992e28b5227ad4412680c0e03591c5
Dec 10 13:00:03 ipvault vault[7901]: 2024-12-10T13:00:03.981+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h311b67eb72206ac2efaccd33e9273ddbdfa5244cc278be73cdc698457173b1f2
Dec 10 13:00:04 ipvault vault[7901]: 2024-12-10T13:00:04.008+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h155f7be5e59d8e1bc17bcabeeff8a63009d5f3521825addee0fc69f66bbd349a
Dec 10 13:00:04 ipvault vault[7901]: 2024-12-10T13:00:04.055+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h2bf09919b7d880040ac3d1a65fbbd75c4f288375071824921819269aa2388cb8
Dec 10 13:00:04 ipvault vault[7901]: 2024-12-10T13:00:04.119+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/h526244148c1f5471941321c6ff1e2e0def53e77ba11c7ef7d0d360c039c7bd4d
Dec 10 13:00:04 ipvault vault[7901]: 2024-12-10T13:00:04.163+0100 [INFO]  expiration: revoked lease: lease_id=auth/ik8s-iacq/login/haef92093017f512abacd7e029f1332a093bc2dfc5b9b3e78e6630d22c26382cc

You can see a ton of lease revocations per second.
Why is vault revoking the leases in that short time if the token_ttl is set to 20m?

2

We found out that the calls to the auth/ik8s-auth/login are coming from the suboptimal code used in applications within the k8s pods.