☂️ Projected Service Account Tokens #4878
Labels
area/security
Security related
kind/enhancement
Enhancement, improvement, extension
priority/3
Priority (lower number equals higher priority)
Comments
gardener-robot
added
area/security
This was referenced Oct 27, 2021
Enable
RootCAPublisher and make gardener-resource-manager use a projected ServiceAccount token
#4940
Merged
This was referenced Nov 12, 2021
This was referenced Nov 29, 2021
This was referenced Dec 6, 2021
Closed
This was referenced Dec 14, 2021
This was referenced Dec 20, 2021
This was referenced Jan 17, 2022
This was referenced Jan 25, 2022
This was referenced Mar 2, 2022
Merged
|
All related tasks have been completed. |
|
@rfranzke: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
How to categorize this issue?
/area security
/kind enhancement
/priority 3
This is an epic to track the development related to leveraging projected
ServiceAccounttokens for the components Gardener deploys into seed and shoot clustersMerge
gardener/gardener-resource-managerrepository intogardener/gardenersince we decided to add new controllers/webhooks to GRM as it's already deployed for all seeds and shoots:gardener-resource-managerin the same version likegardenlet#4848Mimic upstream
rootcacertpublishercontroller inkube-controller-managerto make its functionality available for old Kubernetes versionsRootCAPublisherand makegardener-resource-manageruse a projectedServiceAccounttoken #4940)Webhook for automatically adding projected
ServiceAccounttokenvolumesandvolumeMountsforPods (so that we don't have to manually adapt all the components deployed in seeds and shoots)ServiceAccounttokens intoPods #4873gardener-resource-manageris highly available #4941gardener-resource-manager'sTokenInvalidatorandProjectedTokenMountwebhooks in seed and shoot #5002)ServiceAccounttokens for components running in seed talking to the seed API server #4659ServiceAccounttokens for components running in shoot talking to the shoot API server #4660Controller for creating
ServiceAccounts in shoot clusters, requesting short-lived tokens, and pushing them back into the shoot namespaces in the seed for the control plane components to use (e.g.kube-scheduler) when communicating with the shoots'kube-apiserversServiceAccounttoken requestor controller #4867TokenRequestorand eliminate client certificate forkube-scheduler#4931)Controller for invalidating static
ServiceAccounttokens since we plan to not use them anymore and since Kubernetes does not provide such a feature yetServiceAccounttoken invalidator #4817gardener-resource-manager'sTokenInvalidatorandProjectedTokenMountwebhooks in seed and shoot #5002)Miscellaneous
TokenInvalidatorandTokenRequestor#5341ProjectedTokenMount#5506ServiceAccounts for controllers part ofkube-controller-manager#5422ServiceAccounttokens for the controllers part ofkube-controller-managerin thekube-systemnamespace of shoot clusters are now invalidated for all Kubernetes versions. However, note that the tokens for three of these controllers ({node,route,service}controllers) will only be invalidated for Kubernetes 1.21+ clusters since thecloud-controller-managers of prior versions still rely on them.Related, but out of scope for now and potential improvements for the future
ServiceAccounts in the shoot created by theTokenRequestor(ref Protect Service Accounts Against Deletion/Remedy Deletions #55)TokenInvalidatorandProjectedVolumeMountusable for shoot cluster users #4924Token{Requestor,Invalidator}controllers part ofgardener-resource-managerThe text was updated successfully, but these errors were encountered: