Reduction of Secret-based Service Account Tokens

[zshihang]

Enhancement Description

• One-line enhancement description: reduce secret-based service account tokens

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2799-reduction-of-secret-based-service-account-token

• Discussion Link: sig-auth

• Primary contact (assignee): @zshihang, @yt2985

• Responsible SIGs: sig-auth

• Enhancement target (which target equals to which milestone):

  • LegacyServiceAccountTokenNoAutoGeneration feature gate
    • Beta release target (x.y): 1.24
    • Stable release target (x.y): 1.26
  • LegacyServiceAccountTokenTracking feature gate
    • Alpha release target (x.y): 1.26
    • Beta release target (x.y): 1.27
    • Stable release target (x.y): 1.28
  • LegacyServiceAccountTokenCleanUp feature gate
    • Alpha release target (x.y): 1.28
    • Beta release target (x.y): 1.29
    • Stable release target (x.y): 1.30

• 1.24

  • KEP (k/enhancements) update PR(s):
    • KEP-2799: Reduction of Secret-based Service Account Tokens #2800
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenNoAutoGeneration
      • no auto-generation of secret-based service account token kubernetes#108309
  • Docs (k/website) update PR(s):
    • Stop recommending people scrape auto-generated service account tokens website#31845
    • Fixup service account token doc website#31894
    • New feature 'LegacyServiceAccountTokenNoAutoGeneration' website#32339

• 1.25

  • KEP (k/enhancements) update PR(s):
    • KEP-2799: Update for 1.25 #3393

• 1.26

  • KEP (k/enhancements) update PR(s):
    • KEP-2799: LegacyServiceAccountTokenNoAutoGeneration ga and LegacyServiceAccountTokenTracking alpha #3536
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenNoAutoGeneration
      • graduate LegacyServiceAccountTokenNoAutoGeneration to ga kubernetes#112838
    • LegacyServiceAccountTokenTracking
      • track legacy service account tokens kubernetes#108858
  • Docs (k/website) update(s):
    • update doc of KEP-2799 website#37483

• 1.27

  • KEP (k/enhancements) update PR(s):
    • KEP-2799: update for LegacyServiceAccountTokenTracking beta #3696
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenNoAutoGeneration
      • lock LegacyServiceAccountTokenNoAutoGeneration kubernetes#114522
    • LegacyServiceAccountTokenTracking
      • graduate LegacyServiceAccountTokenTracking to beta kubernetes#114523
  • Docs (k/website) update(s):
    • LegacyServiceAccountTokenNoAutoGeneration / LegacyServiceAccountTokenTracking gate PR - update LegacyServiceAccountTokenTracking to beta website#40066

• 1.28

  • KEP (k/enhancements) update PR(s):
    • update kep-2799 #3964
    • KEP-2799: update latest-milestone to 1.28 #4135
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenTracking
      • graduate LegacyServiceAccountTokenTracking to GA kubernetes#117591
    • LegacyServiceAccountTokenCleanUp
      • LegacyServiceAccountTokenCleanUp alpha kubernetes#115554
  • Docs (k/website) update(s):
    • Add LegacyServiceAccountTokenCleanUp feature in alpha; move LegacyServiceAccountTokenTracking to GA website#41341

• 1.29

  • KEP (k/enhancements) update PR(s):
    • Revise KEP 2799-reduction-of-secret-based-service-account-token for LegacyServiceaccountTokenCleanup feature. #4157
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenCleanUp
      • LegacyServiceAccountTokenCleanUp beta kubernetes#120682
  • Docs (k/website) update(s):
    • Add LegacyServiceAccountTokenCleanUp feature in beta website#43563

[zshihang]

/sig auth

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[enj]

/remove-lifecycle stale
/lifecycle frozen

[gracenng]

Hi @zshihang , 1.24 Enhancements Lead here. Will this enhancement (both features) be in alpha for 1.24?
Thanks

[zshihang]

LegacyServiceAccountTokenNoAutoGeneration would be beta in 1.24; LegacyServiceAccountTokenTracking and LegacyServiceAccountTokenCleanUp would be alpha in 1.24.

[gracenng]

Cross posted in PR
Hi @zshihang ! 1.24 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00pm PT on Thursday Feb 3rd. I'll mark this as beta while awaiting your confirmation
Here’s where this enhancement currently stands:

• Updated KEP file using the latest template has been merged into the k/enhancements repo KEP-2799: Reduction of Secret-based Service Account Tokens #2800
• KEP status is marked as implementable for this release with latest-milestone: 1.24
• KEP has a test plan section filled out.
• KEP has up to date graduation criteria.
• KEP has a production readiness review that has been completed and merged into k/enhancements.

The status of this enhancement is track as at risk. @zshihang, you replied "done" in the PR but it has not been merged. Did I miss something?
Thanks!

[liggitt]

@gracenng the linked PR has now merged. can you confirm this is in good shape for enhancements freeze?

[gracenng]

Thanks for the ping @liggitt . Updated status to tracked, all good for enhancements freeze

[chrisnegus]

Hi @zshihang 👋 1.24 Docs shadow here.

This enhancement is marked as 'Needs Docs' for the 1.24 release.

Please follow the steps detailed in the documentation to open a PR against the dev-1.24 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thu March 31, 11:59 PM PDT.

Also, if needed take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thanks!

[gracenng]

Hi @zshihang 1.24 Enhancements Team here,

With Code Freeze approaching on 18:00 PDT Tuesday March 29th 2022, the enhancement status is at risk as there is no linked k/k PR. Kindly list them in this issue. Thanks!

[liggitt]

updated description with code and docs PRs

[chrisnegus]

@liggitt Thanks for adding links to the docs PRs. Is that all the documentation required for this KEP in 1.24?

[liggitt]

the unchecked items represent work yet to be done

[aramase]

@zshihang Is there any work being done for this KEP in v1.28?

[zshihang]

Shihang Zhang Is there any work being done for this KEP in v1.28?

no, the changes are completed.

[enj]

KEP and PRR look good for v1.28: #3964 (comment)

[Kasambx]

Hello @zshihang 👋, Enhancements team here.

Just checking in as we approach enhancements freeze on 1:00 UTC on Friday 16th June 2023..

This enhancement is targeting for stage beta for v 1.28 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.28
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would just need to update the following:

• Update the KEP to the latest milestone
• update readme on the graduation criteria

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[Atharva-Shinde]

Hey @zshihang Enhancements lead here! Looks like there has been an oversight on this KEP, the KEP didn't satisfy the 1.28 release cycle criteria and was still marked as "tracked" by one of our enhancements team members. And from the current state of the KEP it looks like it still hasn't been updated with latest information. Therefore unfortunately this KEP won't be able to move forward for the current 1.28 release cycle. Feel free to opt-in for the next release cycle i.e v1.29.

Sorry for the inconvenience!

[zshihang]

the graduation criteria is already up-to-date. the latest-mile was left behind accidentally in #4135.

[Atharva-Shinde]

Hey @zshihang I see that all the code related and doc related PRs have been merged for v1.28 according to the issue description, are there any more of these types of PRs that needs to be tracked?

[zshihang]

all PRs are in the description.

[Atharva-Shinde]

With all the code, documentation and KEP related changes done and merged I am marking this enhancement as Tracked for v1.28.

[npolshakova]

/remove-label lead-opted-in

[liggitt]

/label lead-opted-in

we're continuing work on this in 1.29

[rayandas]

Hello @zshihang 👋, v1.29 Enhancements team here.

Just checking in as we approach enhancements freeze on 01:00 UTC, Friday, 6th October, 2023.

This enhancement is targeting for stage beta for v1.29 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.29
• KEP readme has a updated detailed test plan section filled out
• KEP readme has up to date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements.

With all the KEP requirements in place and merged into k/enhancements, this enhancement is all good for the upcoming enhancements freeze. 🚀

The status of this enhancement is marked as tracked for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[katcosgrove]

Hey there @liggitt and @zshihang 👋, v1.29 Docs Lead here.
Does this enhancement work planned for v1.29 require any new docs or modification to existing docs?
If so, please follows the steps here to open a PR against dev-1.29 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday, 19 October 2023.
Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.
Thank you!

[katcosgrove]

Hi @liggitt and @zshihang! The deadline to open a placeholder PR against k/website for required documentation is this Thursday, 19 October. Could you please update me on the status of docs for this enhancement? Thank you!

[liggitt]

Could you please update me on the status of docs for this enhancement? Thank you!

kubernetes/kubernetes#120682 is open and in review with the beta updates for the LegacyServiceAccountTokenCleanUp feature gate.

We'll get a placeholder doc PR open

[James-Quigley]

Hi @zshihang 👋 from the v1.29 Communications Release Team! We would like to check if you have any plans to publish blogs for this KEP regarding new features, removals, and deprecations for this release.
If so, you need to open a PR placeholder in the website repository.
The deadline will be on Tuesday 14th November 2023 (after the Docs deadline PR ready for review)
Here's the 1.29 Calendar

[yt2985]

Hi @James-Quigley, I have opened kubernetes/website#43563 in website repo for the kubernetes/kubernetes#120682.

[rayandas]

Hey again @zshihang 👋, 1.29 Enhancements team here,

Just checking in as we approach code freeze at 01:00 UTC Wednesday 1st November 2023: .

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).

• All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

With all this, the status of this KEP is now tracked for code freeze.

Also, please let me know if there are other PRs in k/k we should be tracking for this KEP.
As always, we are here to help if any questions come up. Thanks!

[Priyankasaggu11929]

Hello @zshihang @yt2985 @yuanchen8911 👋, 1.29 Release team here.

With below implementation(code related) PRs merged as per the issue description, this enhancement is now marked as tracked for code freeze for the 1.29 Code Freeze! 🚀

• LegacyServiceAccountTokenCleanUp beta kubernetes#120682
• Add audit annotations and metrics to track secret-based long-lived tokens kubernetes#118598

The test freeze is 01:00 UTC Wednesday 15th November 2023 / 18:00 PDT Tuesday 14th November 2023. Please make sure all test PRs are merged in by then.

Please let me know if there are any test PRs we should track. Thanks!

cc: @rayandas

[James-Quigley]

Hi @James-Quigley, I have opened kubernetes/website#43563 in website repo for the kubernetes/kubernetes#120682.

Hello, that PR is actually for docs. If you wish to have a blog post about this feature, a separate placeholder PR will be needed in the https://github.com/kubernetes/website repository. The deadline for the placeholder PR is today.

[kcmartin]

Tagging @yt2985 for this comment, and noting the 1.29 Feature Blog Draft PR Deadline is today, November 14, 2023

[yt2985]

Thank you, @James-Quigley, @kcmartin, I think we don't have the plan to write a blog post about this feature. It's enough with the current doc.