-
Notifications
You must be signed in to change notification settings - Fork 453
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
🛡 Switch shoot components to projected ServiceAccount
tokens
#5099
Merged
rfranzke
merged 4 commits into
gardener:master
from
rfranzke:enh/projected-sa-tokens-shoot
Dec 15, 2021
Merged
🛡 Switch shoot components to projected ServiceAccount
tokens
#5099
rfranzke
merged 4 commits into
gardener:master
from
rfranzke:enh/projected-sa-tokens-shoot
Dec 15, 2021
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gardener-robot
added
area/security
Security related
kind/enhancement
Enhancement, improvement, extension
needs/review
size/S
Denotes a PR that changes 10-29 lines, ignoring generated files.
labels
Nov 30, 2021
rfranzke
force-pushed
the
enh/projected-sa-tokens-shoot
branch
from
December 3, 2021 16:10
794a616
to
618cd25
Compare
/ready |
/invite @BeckerMax |
@rfranzke You need rebase this pull request with latest master branch. Please check. |
rfranzke
force-pushed
the
enh/projected-sa-tokens-shoot
branch
from
December 7, 2021 12:16
618cd25
to
1053cd5
Compare
gardener-robot
added
size/M
Denotes a PR that changes 30-99 lines, ignoring generated files.
and removed
size/S
Denotes a PR that changes 10-29 lines, ignoring generated files.
labels
Dec 7, 2021
rfranzke
changed the title
Switch shoot components to projected
🛡 Switch shoot components to projected Dec 14, 2021
ServiceAccount
tokensServiceAccount
tokens
/assign |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
only nit, otherwise works for me
charts/shoot-core/components/charts/kube-proxy/templates/rbac.yaml
Outdated
Show resolved
Hide resolved
danielfoehrKn
approved these changes
Dec 15, 2021
11 tasks
This was referenced Apr 4, 2022
krgostev
pushed a commit
to krgostev/gardener
that referenced
this pull request
Apr 21, 2022
…ner#5099) * Eliminate client certificate for `kube-proxy` * Switch to projected `ServiceAccount` tokens (Helm charts) * Switch to projected `ServiceAccount` tokens (Golang components) * Address PR review feedback
krgostev
pushed a commit
to krgostev/gardener
that referenced
this pull request
Jul 5, 2022
…ner#5099) * Eliminate client certificate for `kube-proxy` * Switch to projected `ServiceAccount` tokens (Helm charts) * Switch to projected `ServiceAccount` tokens (Golang components) * Address PR review feedback
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
area/security
Security related
kind/enhancement
Enhancement, improvement, extension
size/M
Denotes a PR that changes 30-99 lines, ignoring generated files.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
How to categorize this PR?
/area security
/kind enhancement
/merge squash
What this PR does / why we need it:
This PR adapts all components deployed by Gardener into the shoot cluster to use projected
ServiceAccount
tokens (instead of the static tokens or even client certificates (in case ofkube-proxy
)).Which issue(s) this PR fixes:
Part of #4660
Part of #4878
Special notes for your reviewer:
.metadata.annotations
section of the respective pod templates.ServiceAccount
actively (in those cases it's only added to makePodSecurityPolicy
s work).Depends on Add workaround for projected service account tokens #5098 which needs to be merged first, hence, it's in draft state.Release note: