Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🛡 Switch shoot components to projected ServiceAccount tokens #5099

Merged
merged 4 commits into from
Dec 15, 2021
Merged

🛡 Switch shoot components to projected ServiceAccount tokens #5099

merged 4 commits into from
Dec 15, 2021

Conversation

rfranzke
Copy link
Member

@rfranzke rfranzke commented Nov 30, 2021
edited

How to categorize this PR?

/area security
/kind enhancement
/merge squash

What this PR does / why we need it:
This PR adapts all components deployed by Gardener into the shoot cluster to use projected ServiceAccount tokens (instead of the static tokens or even client certificates (in case of kube-proxy)).

Which issue(s) this PR fixes:
Part of #4660
Part of #4878

Special notes for your reviewer:

  • We have to trigger a rollout of the pods, hence, there is a change in the .metadata.annotations section of the respective pod templates.
  • Note that not all pods use their ServiceAccount actively (in those cases it's only added to make PodSecurityPolicys work).
  • Depends on Add workaround for projected service account tokens #5098 which needs to be merged first, hence, it's in draft state.

Release note:

All shoot system components deployed by Gardener have been switched to projected `ServiceAccount` tokens (instead of continued usage of static tokens).

@gardener-robot gardener-robot added area/security Security related kind/enhancement Enhancement, improvement, extension needs/review size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Nov 30, 2021
@rfranzke rfranzke force-pushed the enh/projected-sa-tokens-shoot branch from 794a616 to 618cd25 Compare December 3, 2021 16:10
@rfranzke
Copy link
Member Author

rfranzke commented Dec 3, 2021

/ready

@gardener-robot gardener-robot marked this pull request as ready for review December 3, 2021 16:27
@gardener-robot gardener-robot requested a review from a team as a code owner December 3, 2021 16:27
@rfranzke
Copy link
Member Author

rfranzke commented Dec 6, 2021

/invite @BeckerMax

@gardener-robot
Copy link

@rfranzke You need rebase this pull request with latest master branch. Please check.

@rfranzke rfranzke force-pushed the enh/projected-sa-tokens-shoot branch from 618cd25 to 1053cd5 Compare December 7, 2021 12:16
@gardener-robot gardener-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Dec 7, 2021
@rfranzke rfranzke mentioned this pull request Dec 7, 2021
Merged
@rfranzke rfranzke changed the title Switch shoot components to projected ServiceAccount tokens 🛡 Switch shoot components to projected ServiceAccount tokens Dec 14, 2021
@danielfoehrKn
Copy link
Contributor

/assign

danielfoehrKn
danielfoehrKn reviewed Dec 15, 2021
View reviewed changes
Copy link
Contributor

@danielfoehrKn danielfoehrKn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

only nit, otherwise works for me

charts/shoot-core/components/charts/kube-proxy/templates/rbac.yaml Outdated Show resolved Hide resolved
@rfranzke rfranzke merged commit f4b00db into gardener:master Dec 15, 2021
@rfranzke rfranzke deleted the enh/projected-sa-tokens-shoot branch December 15, 2021 13:31
@rfranzke rfranzke mentioned this pull request Dec 16, 2021
Merged
@rfranzke rfranzke mentioned this pull request Jan 14, 2022
Closed
@rfranzke rfranzke mentioned this pull request Jan 24, 2022
Closed
11 tasks
This was referenced Apr 4, 2022
Merged
Merged
krgostev pushed a commit to krgostev/gardener that referenced this pull request Apr 21, 2022
@rfranzke
🛡 Switch shoot components to projected ServiceAccount tokens (garde…
a6d6774 
…ner#5099)

* Eliminate client certificate for `kube-proxy`

* Switch to projected `ServiceAccount` tokens (Helm charts)

* Switch to projected `ServiceAccount` tokens (Golang components)

* Address PR review feedback
krgostev pushed a commit to krgostev/gardener that referenced this pull request Jul 5, 2022
@rfranzke
🛡 Switch shoot components to projected ServiceAccount tokens (garde…
667adf6 
…ner#5099)

* Eliminate client certificate for `kube-proxy`

* Switch to projected `ServiceAccount` tokens (Helm charts)

* Switch to projected `ServiceAccount` tokens (Golang components)

* Address PR review feedback
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danielfoehrKn danielfoehrKn danielfoehrKn approved these changes

@BeckerMax BeckerMax Awaiting requested review from BeckerMax

Assignees

@danielfoehrKn danielfoehrKn

Labels
area/security Security related kind/enhancement Enhancement, improvement, extension size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@rfranzke @gardener-robot @danielfoehrKn @gardener-robot-ci-1 @gardener-robot-ci-2 @gardener-robot-ci-3