Reduction of Secret-based Service Account Tokens

[zshihang]

Enhancement Description

• One-line enhancement description: reduce secret-based service account tokens

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2799-reduction-of-secret-based-service-account-token

• Discussion Link: sig-auth

• Primary contact (assignee): @zshihang, @yt2985

• Responsible SIGs: sig-auth

• Enhancement target (which target equals to which milestone):

  • LegacyServiceAccountTokenNoAutoGeneration feature gate
    • Beta release target (x.y): 1.24
    • Stable release target (x.y): 1.26
  • LegacyServiceAccountTokenTracking feature gate
    • Alpha release target (x.y): 1.26
    • Beta release target (x.y): 1.27
    • Stable release target (x.y): 1.28
  • LegacyServiceAccountTokenCleanUp feature gate
    • Alpha release target (x.y): 1.28
    • Beta release target (x.y): 1.29
    • Stable release target (x.y): 1.30

• 1.24

  • KEP (k/enhancements) update PR(s):
    • KEP-2799: Reduction of Secret-based Service Account Tokens #2800
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenNoAutoGeneration
      • no auto-generation of secret-based service account token kubernetes#108309
  • Docs (k/website) update PR(s):
    • Stop recommending people scrape auto-generated service account tokens website#31845
    • Fixup service account token doc website#31894
    • New feature 'LegacyServiceAccountTokenNoAutoGeneration' website#32339

• 1.25

  • KEP (k/enhancements) update PR(s):
    • KEP-2799: Update for 1.25 #3393

• 1.26

  • KEP (k/enhancements) update PR(s):
    • KEP-2799: LegacyServiceAccountTokenNoAutoGeneration ga and LegacyServiceAccountTokenTracking alpha #3536
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenNoAutoGeneration
      • graduate LegacyServiceAccountTokenNoAutoGeneration to ga kubernetes#112838
    • LegacyServiceAccountTokenTracking
      • track legacy service account tokens kubernetes#108858
  • Docs (k/website) update(s):
    • update doc of KEP-2799 website#37483

• 1.27

  • KEP (k/enhancements) update PR(s):
    • KEP-2799: update for LegacyServiceAccountTokenTracking beta #3696
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenNoAutoGeneration
      • lock LegacyServiceAccountTokenNoAutoGeneration kubernetes#114522
    • LegacyServiceAccountTokenTracking
      • graduate LegacyServiceAccountTokenTracking to beta kubernetes#114523
  • Docs (k/website) update(s):
    • LegacyServiceAccountTokenNoAutoGeneration / LegacyServiceAccountTokenTracking gate PR - update LegacyServiceAccountTokenTracking to beta website#40066

• 1.28

  • KEP (k/enhancements) update PR(s):
    • update kep-2799 #3964
    • KEP-2799: update latest-milestone to 1.28 #4135
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenTracking
      • graduate LegacyServiceAccountTokenTracking to GA kubernetes#117591
    • LegacyServiceAccountTokenCleanUp
      • LegacyServiceAccountTokenCleanUp alpha kubernetes#115554
  • Docs (k/website) update(s):
    • Add LegacyServiceAccountTokenCleanUp feature in alpha; move LegacyServiceAccountTokenTracking to GA website#41341

• 1.29

  • KEP (k/enhancements) update PR(s):
    • Revise KEP 2799-reduction-of-secret-based-service-account-token for LegacyServiceaccountTokenCleanup feature. #4157
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenCleanUp
      • LegacyServiceAccountTokenCleanUp beta kubernetes#120682
  • Docs (k/website) update(s):
    • Add LegacyServiceAccountTokenCleanUp feature in beta website#43563

[zshihang]

/sig auth

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[enj]

/remove-lifecycle stale
/lifecycle frozen

[gracenng]

Hi @zshihang , 1.24 Enhancements Lead here. Will this enhancement (both features) be in alpha for 1.24?
Thanks

[zshihang]

LegacyServiceAccountTokenNoAutoGeneration would be beta in 1.24; LegacyServiceAccountTokenTracking and LegacyServiceAccountTokenCleanUp would be alpha in 1.24.

[gracenng]

Cross posted in PR
Hi @zshihang ! 1.24 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00pm PT on Thursday Feb 3rd. I'll mark this as beta while awaiting your confirmation
Here’s where this enhancement currently stands:

• Updated KEP file using the latest template has been merged into the k/enhancements repo KEP-2799: Reduction of Secret-based Service Account Tokens #2800
• KEP status is marked as implementable for this release with latest-milestone: 1.24
• KEP has a test plan section filled out.
• KEP has up to date graduation criteria.
• KEP has a production readiness review that has been completed and merged into k/enhancements.

The status of this enhancement is track as at risk. @zshihang, you replied "done" in the PR but it has not been merged. Did I miss something?
Thanks!

[liggitt]

@gracenng the linked PR has now merged. can you confirm this is in good shape for enhancements freeze?

[gracenng]

Thanks for the ping @liggitt . Updated status to tracked, all good for enhancements freeze

[chrisnegus]

Hi @zshihang 👋 1.24 Docs shadow here.

This enhancement is marked as 'Needs Docs' for the 1.24 release.

Please follow the steps detailed in the documentation to open a PR against the dev-1.24 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thu March 31, 11:59 PM PDT.

Also, if needed take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thanks!

[gracenng]

Hi @zshihang 1.24 Enhancements Team here,

With Code Freeze approaching on 18:00 PDT Tuesday March 29th 2022, the enhancement status is at risk as there is no linked k/k PR. Kindly list them in this issue. Thanks!

[liggitt]

updated description with code and docs PRs

[chrisnegus]

@liggitt Thanks for adding links to the docs PRs. Is that all the documentation required for this KEP in 1.24?

[liggitt]

the unchecked items represent work yet to be done

[katcosgrove]

Hi @liggitt and @zshihang! The deadline to open a placeholder PR against k/website for required documentation is this Thursday, 19 October. Could you please update me on the status of docs for this enhancement? Thank you!

[liggitt]

Could you please update me on the status of docs for this enhancement? Thank you!

kubernetes/kubernetes#120682 is open and in review with the beta updates for the LegacyServiceAccountTokenCleanUp feature gate.

We'll get a placeholder doc PR open

[James-Quigley]

Hi @zshihang 👋 from the v1.29 Communications Release Team! We would like to check if you have any plans to publish blogs for this KEP regarding new features, removals, and deprecations for this release.
If so, you need to open a PR placeholder in the website repository.
The deadline will be on Tuesday 14th November 2023 (after the Docs deadline PR ready for review)
Here's the 1.29 Calendar

[yt2985]

Hi @James-Quigley, I have opened kubernetes/website#43563 in website repo for the kubernetes/kubernetes#120682.

[rayandas]

Hey again @zshihang 👋, 1.29 Enhancements team here,

Just checking in as we approach code freeze at 01:00 UTC Wednesday 1st November 2023: .

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).

• All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

With all this, the status of this KEP is now tracked for code freeze.

Also, please let me know if there are other PRs in k/k we should be tracking for this KEP.
As always, we are here to help if any questions come up. Thanks!

[Priyankasaggu11929]

Hello @zshihang @yt2985 @yuanchen8911 👋, 1.29 Release team here.

With below implementation(code related) PRs merged as per the issue description, this enhancement is now marked as tracked for code freeze for the 1.29 Code Freeze! 🚀

• LegacyServiceAccountTokenCleanUp beta kubernetes#120682
• Add audit annotations and metrics to track secret-based long-lived tokens kubernetes#118598

The test freeze is 01:00 UTC Wednesday 15th November 2023 / 18:00 PDT Tuesday 14th November 2023. Please make sure all test PRs are merged in by then.

Please let me know if there are any test PRs we should track. Thanks!

cc: @rayandas

[James-Quigley]

Hi @James-Quigley, I have opened kubernetes/website#43563 in website repo for the kubernetes/kubernetes#120682.

Hello, that PR is actually for docs. If you wish to have a blog post about this feature, a separate placeholder PR will be needed in the https://github.com/kubernetes/website repository. The deadline for the placeholder PR is today.

[kcmartin]

Tagging @yt2985 for this comment, and noting the 1.29 Feature Blog Draft PR Deadline is today, November 14, 2023

[yt2985]

Thank you, @James-Quigley, @kcmartin, I think we don't have the plan to write a blog post about this feature. It's enough with the current doc.

[liggitt]

Targeting promotion to stable in 1.30

[sreeram-venkitesh]

Hello @zshihang 👋, Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 9th February 2024.

This enhancement is targeting for stage stable for v1.30 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.30. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

For this KEP, we would just need to update the following:

• Raise a PR updating latest-milestone in kep.yaml to 1.30 and stage as stable

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[liggitt]

#4465 should address #2799 (comment)

[sreeram-venkitesh]

Thanks! Marking this KEP as Tracked for enhancements freeze!

[chanieljdan]

Hi @liggitt, @zshihang 👋, 1.30 Docs Shadow here.

Does this enhancement work planned for 1.30 require any new docs or modification to existing docs?
If so, please follows the steps here to open a PR against dev-1.30 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday February 22nd 2024 18:00 PDT.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

(At a minimum, please remember to update the feature flags to stable for this release ✨)

[fkautz]

Hi @zshihang, @yt2985

👋 from the v1.30 Communications Team! We'd love for you to opt in to write a feature blog about your enhancement!

We encourage blogs for features including, but not limited to: breaking changes, features and changes important to our users, and features that have been in progress for a long time and are graduating.

To opt in, you need to open a Feature Blog placeholder PR against the website repository.
The placeholder PR deadline is 27th February, 2024.
Here's the 1.30 Release Calendar

[chanieljdan]

Hi @liggitt, @zshihang 👋, 1.30 Docs Shadow here.

Does this enhancement work planned for 1.30 require any new docs or modification to existing docs? If so, please follows the steps here to open a PR against dev-1.30 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday February 22nd 2024 18:00 PDT.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

(At a minimum, please remember to update the feature flags to stable for this release ✨)

We'll need a stability version bumping PR at a minimum. Thanks!

[yt2985]

Thank you for the reminder, @chanieljdan! I opened kubernetes/website#45253 for the stability version bumping up.

[sftim]

Are there any code changes expected for v1.30 (eg: changing some feature gates from beta to stable)? I see a docs PR but no code change.

[liggitt]

Just the gate promotion in kubernetes/kubernetes#122635

[sreeram-venkitesh]

Hey again @zshihang 👋 v1.30 Enhancements team here,

Just checking in as we approach code freeze at 02:00 UTC Wednesday 6th March 2024 .

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this enhancement, with below PRs merged as per the issue description, this enhancement is now marked as tracked for code freeze for the 1.30 Code Freeze! 🚀

• Promote LegacyServiceAccountTokenCleanUp to GA kubernetes#122635

Also, please let me know if there are other PRs in k/k we should be tracking for this KEP. As always, we are here to help if any questions come up. Thanks!

[yt2985]

Hi @sreeram-venkitesh, the PR kubernetes/website#45253 is now open for the doc change. Thank you!