Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reduction of Secret-based Service Account Tokens #2799

Open
18 tasks done
zshihang opened this issue Jun 25, 2021 · 44 comments
Open
18 tasks done

Reduction of Secret-based Service Account Tokens #2799

zshihang opened this issue Jun 25, 2021 · 44 comments
Assignees
Labels
lead-opted-in Denotes that an issue has been opted in to a release lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/beta Denotes an issue tracking an enhancement targeted for Beta status tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team
Projects
Milestone

Comments

@zshihang
Copy link
Contributor

zshihang commented Jun 25, 2021

Enhancement Description

@k8s-ci-robot k8s-ci-robot added the needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. label Jun 25, 2021
@zshihang
Copy link
Contributor Author

zshihang commented Jul 29, 2021

/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jul 29, 2021
@enj enj added this to Needs Triage in SIG Auth Aug 9, 2021
@zshihang zshihang changed the title Token Controller Deprecation Reduction of Secret-based Service Account Tokens Sep 10, 2021
@k8s-triage-robot
Copy link

k8s-triage-robot commented Dec 9, 2021

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 9, 2021
@enj
Copy link
Member

enj commented Dec 13, 2021

/remove-lifecycle stale
/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Dec 13, 2021
@enj enj moved this from Needs Triage to KEP Backlog in SIG Auth Dec 13, 2021
@liggitt liggitt moved this from KEP Backlog to In Review in SIG Auth Jan 18, 2022
@liggitt liggitt added the stage/beta Denotes an issue tracking an enhancement targeted for Beta status label Jan 18, 2022
@liggitt liggitt added this to the v1.24 milestone Jan 18, 2022
@liggitt liggitt moved this from In Review to Pending other SIGs in SIG Auth Jan 19, 2022
@liggitt liggitt moved this from Pending other SIGs to In Progress in SIG Auth Jan 19, 2022
@gracenng gracenng added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Jan 20, 2022
@gracenng
Copy link
Member

gracenng commented Jan 20, 2022

Hi @zshihang , 1.24 Enhancements Lead here. Will this enhancement (both features) be in alpha for 1.24?
Thanks

@zshihang
Copy link
Contributor Author

zshihang commented Jan 20, 2022

LegacyServiceAccountTokenNoAutoGeneration would be beta in 1.24; LegacyServiceAccountTokenTracking and LegacyServiceAccountTokenCleanUp would be alpha in 1.24.

@gracenng
Copy link
Member

gracenng commented Jan 22, 2022

Cross posted in PR
Hi @zshihang ! 1.24 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00pm PT on Thursday Feb 3rd. I'll mark this as beta while awaiting your confirmation
Here’s where this enhancement currently stands:

  • Updated KEP file using the latest template has been merged into the k/enhancements repo KEP-2799: Reduction of Secret-based Service Account Tokens #2800
  • KEP status is marked as implementable for this release with latest-milestone: 1.24
  • KEP has a test plan section filled out.
  • KEP has up to date graduation criteria.
  • KEP has a production readiness review that has been completed and merged into k/enhancements.

The status of this enhancement is track as at risk. @zshihang, you replied "done" in the PR but it has not been merged. Did I miss something?
Thanks!

@liggitt
Copy link
Member

liggitt commented Jan 27, 2022

@gracenng the linked PR has now merged. can you confirm this is in good shape for enhancements freeze?

@gracenng
Copy link
Member

gracenng commented Jan 27, 2022

Thanks for the ping @liggitt . Updated status to tracked, all good for enhancements freeze

@chrisnegus
Copy link

chrisnegus commented Feb 11, 2022

Hi @zshihang 👋 1.24 Docs shadow here.

This enhancement is marked as 'Needs Docs' for the 1.24 release.

Please follow the steps detailed in the documentation to open a PR against the dev-1.24 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thu March 31, 11:59 PM PDT.

Also, if needed take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thanks!

@gracenng
Copy link
Member

gracenng commented Mar 16, 2022

Hi @zshihang 1.24 Enhancements Team here,

With Code Freeze approaching on 18:00 PDT Tuesday March 29th 2022, the enhancement status is at risk as there is no linked k/k PR. Kindly list them in this issue. Thanks!

@liggitt
Copy link
Member

liggitt commented Mar 16, 2022

updated description with code and docs PRs

@chrisnegus
Copy link

chrisnegus commented Mar 19, 2022

@liggitt Thanks for adding links to the docs PRs. Is that all the documentation required for this KEP in 1.24?

@liggitt
Copy link
Member

liggitt commented Mar 19, 2022

the unchecked items represent work yet to be done

@jasonbraganza
Copy link
Member

jasonbraganza commented Jun 16, 2022

Thank you @liggitt! :) thank you too @Priyankasaggu11929 :)

@didicodes
Copy link

didicodes commented Jul 13, 2022

Hello @liggitt, @zshihang 👋, 1.25 Release Docs Shadow here.

This enhancement is marked as ‘Needs Docs’ for the 1.25 release. Please follow the steps detailed in the documentation to open a PR against the dev-1.25 branch in the k/website repo. This PR can be just a placeholder at this time and must be created by August 4.


Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release. Thank you!

yasserisa added a commit to yasserisa/terraform-google-kubernetes-engine that referenced this issue Jul 20, 2022
The problem when generating new service accounts, is that the secret containing the SA token is no longer generated automatically since the LegacyServiceAccountTokenNoAutoGeneration function gate was enabled as true in Kubernetes clusters version 1.24.
(references: kubernetes/enhancements#2799
https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/)

This is the reported issue for the terraform resource kubernetes_service_account
hashicorp/terraform-provider-kubernetes#1724

Alternative changes were made using the terraform resource kubernetes_manifest to manually generate the service accounts along with their secret
yasserisa added a commit to yasserisa/terraform-google-kubernetes-engine that referenced this issue Jul 20, 2022
The problem when generating new service accounts, is that the secret containing the SA token is no longer generated automatically since the LegacyServiceAccountTokenNoAutoGeneration feature gate was enabled as true in Kubernetes clusters version 1.24.
(references: kubernetes/enhancements#2799
https://kubernetes.io/docs/reference/command-line-tools-reference/feature-gates/)

This is the reported issue for the terraform resource kubernetes_service_account
hashicorp/terraform-provider-kubernetes#1724

Alternative changes were made using the terraform resource kubernetes_manifest to manually generate the service accounts along with their secret
@jasonbraganza
Copy link
Member

jasonbraganza commented Jul 25, 2022

Hi @zshihang 👋

Checking in once more as we approach 1.25 code freeze at 01:00 UTC on Wednesday, 3rd August 2022.

Please ensure the following items are completed:

Please verify, if there are any additional k/k PRs besides the ones listed above.
Please plan to get the open k/k merged by the code freeze deadline. The status of the enhancement is currently marked as at-risk.
Please also update the issue description with the relevant links for tracking purpose. Thank you so much!

@jasonbraganza
Copy link
Member

jasonbraganza commented Jul 29, 2022

Hello @zshihang 👋

Just a gentle reminder from the enhancement team as we approach 1.25 code freeze at 01:00 UTC on Wednesday, 3rd August 2022. (less than a week to go)
Please plan to have the k/k PR merged before then.

The status of this enhancement is currently marked as at risk

Thank you.

@Priyankasaggu11929
Copy link
Member

Priyankasaggu11929 commented Aug 3, 2022

Hello 👋, 1.25 Enhancements Lead here.

Unfortunately, this enhancement did not meet the code freeze criteria because there are still unmerged k/k code PRs.

If you still wish to progress this enhancement in v1.25, please file an exception request. Thank you so much!

/milestone clear

@k8s-ci-robot k8s-ci-robot removed this from the v1.25 milestone Aug 3, 2022
@Priyankasaggu11929 Priyankasaggu11929 added tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team and removed tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team labels Aug 3, 2022
@liggitt liggitt added this to the v1.26 milestone Sep 1, 2022
@liggitt
Copy link
Member

liggitt commented Sep 1, 2022

retargeted LegacyServiceAccountTokenTracking alpha for 1.26

@liggitt liggitt self-assigned this Sep 1, 2022
@liggitt liggitt added lead-opted-in Denotes that an issue has been opted in to a release tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team and removed tracked/no Denotes an enhancement issue is NOT actively being tracked by the Release Team labels Sep 6, 2022
@liggitt
Copy link
Member

liggitt commented Sep 6, 2022

@marosset
Copy link
Contributor

marosset commented Sep 20, 2022

Hello @zshihang 👋, 1.26 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PDT on Thursday 6th October 2022.

This enhancement is targeting for stage beta for 1.26 (correct me, if otherwise)

Here's where this enhancement currently stands:

  • KEP readme using the latest template has been merged into the k/enhancements repo.
  • KEP status is marked as implementable for latest-milestone: 1.26
  • KEP readme has a updated detailed test plan section filled out
  • KEP readme has up to date graduation criteria
  • KEP has a production readiness review that has been completed and merged into k/enhancements.

For this KEP, we would just need to update the following:

The status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

@marosset
Copy link
Contributor

marosset commented Oct 3, 2022

With #3536 merged, this enhancement is now tracked for the v1.26 release. Thanks!

@sftim
Copy link
Contributor

sftim commented Oct 24, 2022

@zshihang I think the first link in the issue description should be to https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2799-reduction-of-secret-based-service-account-token

@rhockenbury
Copy link

rhockenbury commented Oct 29, 2022

Hi @zshihang 👋,

Checking in as we approach 1.26 code freeze at 17:00 PDT on Tuesday 8th November 2022.

Please ensure the following items are completed:

  • All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
  • All PRs are fully merged by the code freeze deadline.

Let me know if we need to track any PRs beyond kubernetes/kubernetes#108858.

As always, we are here to help should questions come up. Thanks!

@krol3
Copy link

krol3 commented Nov 3, 2022

Hello @zshihang 👋, 1.26 Release Docs Lead here. This enhancement is marked as ‘Needs Docs’ for 1.26 release.

Please follow the steps detailed in the documentation to open a PR against dev-1.26 branch in the k/website repo. This PR can be just a placeholder at this time, and must be created by November 9. Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Any doubt, reach us! Thank you!

@krol3
Copy link

krol3 commented Nov 14, 2022

Hello @zshihang 👋 please take a look at Documenting for a release - PR Ready for Review to get your PR ready for review before deadline Tuesday 15th November 2022. Thank you!

@krol3
Copy link

krol3 commented Nov 15, 2022

Hi @zshihang ! Thank you for your doc PR here

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lead-opted-in Denotes that an issue has been opted in to a release lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. sig/auth Categorizes an issue or PR as relevant to SIG Auth. stage/beta Denotes an issue tracking an enhancement targeted for Beta status tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team
Projects
Status: Graduating
SIG Auth
In Progress
Development

No branches or pull requests