New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
☂️ Projected Service Account Tokens #4878
Labels
area/security
Security related
kind/enhancement
Enhancement, improvement, extension
priority/3
Priority (lower number equals higher priority)
Comments
gardener-robot
added
area/security
Security related
priority/3
Priority (lower number equals higher priority)
labels
Oct 20, 2021
This was referenced Oct 27, 2021
Enable
RootCAPublisher
and make gardener-resource-manager
use a projected ServiceAccount
token
#4940
Merged
This was referenced Nov 12, 2021
This was referenced Nov 29, 2021
This was referenced Dec 6, 2021
Closed
This was referenced Dec 14, 2021
This was referenced Dec 20, 2021
This was referenced Jan 17, 2022
This was referenced Jan 25, 2022
This was referenced Mar 2, 2022
Merged
All related tasks have been completed. |
@rfranzke: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/security
Security related
kind/enhancement
Enhancement, improvement, extension
priority/3
Priority (lower number equals higher priority)
How to categorize this issue?
/area security
/kind enhancement
/priority 3
This is an epic to track the development related to leveraging projected
ServiceAccount
tokens for the components Gardener deploys into seed and shoot clustersMerge
gardener/gardener-resource-manager
repository intogardener/gardener
since we decided to add new controllers/webhooks to GRM as it's already deployed for all seeds and shoots:gardener-resource-manager
in the same version likegardenlet
#4848Mimic upstream
rootcacertpublisher
controller inkube-controller-manager
to make its functionality available for old Kubernetes versionsRootCAPublisher
and makegardener-resource-manager
use a projectedServiceAccount
token #4940)Webhook for automatically adding projected
ServiceAccount
tokenvolumes
andvolumeMounts
forPod
s (so that we don't have to manually adapt all the components deployed in seeds and shoots)ServiceAccount
tokens intoPod
s #4873gardener-resource-manager
is highly available #4941gardener-resource-manager
'sTokenInvalidator
andProjectedTokenMount
webhooks in seed and shoot #5002)ServiceAccount
tokens for components running in seed talking to the seed API server #4659ServiceAccount
tokens for components running in shoot talking to the shoot API server #4660Controller for creating
ServiceAccount
s in shoot clusters, requesting short-lived tokens, and pushing them back into the shoot namespaces in the seed for the control plane components to use (e.g.kube-scheduler
) when communicating with the shoots'kube-apiserver
sServiceAccount
token requestor controller #4867TokenRequestor
and eliminate client certificate forkube-scheduler
#4931)Controller for invalidating static
ServiceAccount
tokens since we plan to not use them anymore and since Kubernetes does not provide such a feature yetServiceAccount
token invalidator #4817gardener-resource-manager
'sTokenInvalidator
andProjectedTokenMount
webhooks in seed and shoot #5002)Miscellaneous
TokenInvalidator
andTokenRequestor
#5341ProjectedTokenMount
#5506ServiceAccount
s for controllers part ofkube-controller-manager
#5422ServiceAccount
tokens for the controllers part ofkube-controller-manager
in thekube-system
namespace of shoot clusters are now invalidated for all Kubernetes versions. However, note that the tokens for three of these controllers ({node,route,service}
controllers) will only be invalidated for Kubernetes 1.21+ clusters since thecloud-controller-manager
s of prior versions still rely on them.Related, but out of scope for now and potential improvements for the future
ServiceAccount
s in the shoot created by theTokenRequestor
(ref Protect Service Accounts Against Deletion/Remedy Deletions #55)TokenInvalidator
andProjectedVolumeMount
usable for shoot cluster users #4924Token{Requestor,Invalidator}
controllers part ofgardener-resource-manager
The text was updated successfully, but these errors were encountered: