From a0fa02a665a2fd14559947c1cac7fc600e426be8 Mon Sep 17 00:00:00 2001
From: kinarashah <kinara@rancher.com>
Date: Mon, 25 Jan 2021 10:45:45 -0800
Subject: [PATCH] add known issues for kubeconfig tokens

---
 .../rancher/v2.x/en/api/api-tokens/_index.md  | 11 ++++----
 .../v2.x/en/quick-start-guide/cli/_index.md   | 28 +++++++++++++------
 2 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/content/rancher/v2.x/en/api/api-tokens/_index.md b/content/rancher/v2.x/en/api/api-tokens/_index.md
index 46d2c93d662..36f164526fc 100644
--- a/content/rancher/v2.x/en/api/api-tokens/_index.md
+++ b/content/rancher/v2.x/en/api/api-tokens/_index.md
@@ -22,7 +22,7 @@ Here is the complete list of tokens that are generated with `ttl=0`:
 
 | Token | Description |
 |-------|-------------|
-| `kubeconfig-*` | Kubeconfig token | 
+| `kubeconfig-*` | Kubeconfig token |
 | `kubectl-shell-*` | Access to `kubectl` shell in the browser |
 | `agent-*` | Token for agent deployment |
 | `compose-token-*` | Token for compose |
@@ -37,14 +37,15 @@ _**Available as of v2.4.6**_
 
 Starting Rancher v2.4.6, admins can set a global TTL on Kubeconfig tokens. Once the token expires the kubectl command will require the user to authenticate to Rancher.
 
+_**Note:**_:
+
+Existing kubeconfig tokens won't be updated with the new TTL. Admins can [delete old kubeconfig tokens](#deleting-tokens).
+
 1. Disable the kubeconfig-generate-token setting in the Rancher API view at `https://<Rancher-Server-IP/v3/settings/kubeconfig-generate-token`. This setting instructs Rancher to no longer automatically generate a token when a user clicks on download a kubeconfig file. The kubeconfig file will now provide a command to login to Rancher.
 
-2. Edit the setting and set the value to `false`. 
+2. Edit the setting and set the value to `false`.
 
 3. Go to setting kubeconfig-token-ttl-minutes in the Rancher API view at `https://<Rancher-Server-IP/v3/settings/kubeconfig-token-ttl-minutes`. By default, kubeconfig-token-ttl-minutes is 960 (16 hours).
 
 4. Edit the setting and set the value to desired duration in minutes.
 _**Note:**_ This value cannot exceed max-ttl of API tokens.(`https://<Rancher-Server-IP/v3/settings/auth-token-max-ttl-minutes`). In Rancher v2.4.6, auth-token-max-ttl-minutes is set to 1440 (24 hours) by default. Starting Rancher v2.4.7, auth-token-max-ttl-minutes would default to 0 allowing tokens to never expire, similar to v2.4.5.
-
-
- 
\ No newline at end of file
diff --git a/content/rancher/v2.x/en/quick-start-guide/cli/_index.md b/content/rancher/v2.x/en/quick-start-guide/cli/_index.md
index 92587791f3a..41e15bb83c0 100644
--- a/content/rancher/v2.x/en/quick-start-guide/cli/_index.md
+++ b/content/rancher/v2.x/en/quick-start-guide/cli/_index.md
@@ -22,20 +22,30 @@ Run `kubectl cluster-info` or `kubectl get pods` successfully.
 
 ## Authentication with kubectl and kubeconfig Tokens with TTL
 
-_**Available as of v2.4.6**_ 
+_**Available as of v2.4.6**_
 
 _Requirements_
 
-If admins have [enforced TTL on kubeconfig tokens]({{<baseurl>}}/rancher/v2.x/en/api/api-tokens/#setting-ttl-on-kubeconfig-tokens), the kubeconfig file requires the [Rancher cli](../cli) to be present in your PATH when you run `kubectl`. Otherwise, you’ll see error like: 
-`Unable to connect to the server: getting credentials: exec: exec: "rancher": executable file not found in $PATH`. 
+If admins have [enforced TTL on kubeconfig tokens]({{<baseurl>}}/rancher/v2.x/en/api/api-tokens/#setting-ttl-on-kubeconfig-tokens), the kubeconfig file requires the [Rancher cli](../cli) to be present in your PATH when you run `kubectl`. Otherwise, you’ll see error like:
+`Unable to connect to the server: getting credentials: exec: exec: "rancher": executable file not found in $PATH`.
 
-This feature enables kubectl to authenticate with the Rancher server and get a new kubeconfig token when required. The following auth providers are currently supported: 
+This feature enables kubectl to authenticate with the Rancher server and get a new kubeconfig token when required. The following auth providers are currently supported:
 
 1. Local
 2. Active Directory
-3. FreeIpa, OpenLdap 
-4. SAML providers - Ping, Okta, ADFS, Keycloak, Shibboleth 
+3. FreeIpa, OpenLdap
+4. SAML providers - Ping, Okta, ADFS, Keycloak, Shibboleth
 
-When you first run kubectl, for example, `kubectl get pods`, it will ask you to pick an auth provider and log in with the Rancher server. 
-The kubeconfig token is cached in the path where you run kubectl under `./.cache/token`. This token is valid till [it expires](../../api/api-tokens/#setting-ttl-on-kubeconfig-tokens-period), or [gets deleted from the Rancher server](../../api/api-tokens/#deleting-tokens) 
-Upon expiration, the next `kubectl get pods` will ask you to log in with the Rancher server again. 
+When you first run kubectl, for example, `kubectl get pods`, it will ask you to pick an auth provider and log in with the Rancher server.
+The kubeconfig token is cached in the path where you run kubectl under `./.cache/token`. This token is valid till [it expires](../../api/api-tokens/#setting-ttl-on-kubeconfig-tokens-period), or [gets deleted from the Rancher server](../../api/api-tokens/#deleting-tokens)
+Upon expiration, the next `kubectl get pods` will ask you to log in with the Rancher server again.
+
+_Note_
+
+As of CLI [v2.4.10](https://github.com/rancher/cli/releases/tag/v2.4.10), the kubeconfig token can be cached at a chosen path with `cache-dir` flag or env var `RANCHER_CACHE_DIR`.
+
+_**Current Known Issues**_
+
+1. If [authorized cluster endpoint]({{<baseurl>}}/rancher/v2.x/en/overview/architecture/#4-authorized-cluster-endpoint) is enabled for RKE clusters to [authenticate directly with downstream cluster]({{<baseurl>}}/rancher/v2.x/en/cluster-admin/cluster-access/kubectl/#authenticating-directly-with-a-downstream-cluster) and Rancher server goes down, all kubectl calls will fail after the kubeconfig token expires. No new kubeconfig tokens can be generated if Rancher server isn't accessible.
+2. If a kubeconfig token is deleted from Rancher [API tokens]({{<baseurl>}}/rancher/v2.x/en/api/api-tokens/#deleting-tokens) page, and the token is still cached, cli won't ask you to login again until the token expires or is deleted. 
+`kubectl` calls will result into an error like `error: You must be logged in to the server (the server has asked for the client to provide credentials`. Tokens can be deleted using `rancher token delete`.