Bound service account token improvements

[enj]

Enhancement Description

• One-line enhancement description (can be used as a release note): Bound service account token improvements
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4193-bound-service-account-token-improvements/
• Discussion Link: Discussion Link: 2023-08-16 2023-08-02
• Primary contact (assignee): @enj
• Responsible SIGs: Auth
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): v1.29
  • Beta release target (x.y): v1.30, v1.31
  • Stable release target (x.y): v1.32 (ServiceAccountTokenJTI, ServiceAccountTokenNodeBindingValidation, ServiceAccountTokenPodNodeInfo)
  • Stable release target (x.y): v1.33 (ServiceAccountTokenNodeBinding)
• Alpha
  • KEP (k/enhancements) update PR(s): KEP-4193: bound service account token improvements #4141
  • Code (k/k) update PR(s): Including JTI & node reference in issued service account tokens (kep 4193) kubernetes#120780
  • Docs (k/website) update PR(s): KEP-4193: bound service account token improvements website#43958
• Beta
  • KEP (k/enhancements) update PR(s):
    • KEP-4193: Update milestone for v1.30 & clarify latest state #4470
    • KEP-4193: Update kep to beta #4498
    • KEP-4193: Mark as updated in 1.31 #4724
    • KEP-4193: note ServiceAccountTokenNodeBinding being promoted to beta #4675
  • Code (k/k) update PR(s):
    • KEP-4193: promote ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo and ServiceAccountTokenNodeBindingValidation to beta kubernetes#123135
    • use authentication.kubernetes.io/issued-credential-id audit annotation in serviceaccount token registry endpoint kubernetes#123098
    • KEP-4193: promote ServiceAccountTokenNodeBinding feature to beta kubernetes#125238
  • Docs (k/website) update(s):
    • Make KEP-4193 documentation updates website#45292
    • KEP-4193: beta promotion of ServiceAccountTokenNodeBinding feature gate website#47283
• Stable
  • KEP (k/enhancements) update PR(s): KEP-4193: stable updates for 1.32 #4892
  • Code (k/k) update PR(s):
  • Docs (k/website) update(s):

[sreeram-venkitesh]

Hello @enj 👋, v1.29 Enhancements team here.

Just checking in as we approach enhancements freeze on 01:00 UTC, Friday, 6th October, 2023.

This enhancement is targeting for stage alpha for v1.29 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.29. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

For this KEP, everything seems to be done in #4141. Please make sure that the PR is merged in time.

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[sreeram-venkitesh]

Hi @enj, checking in once more as we approach the 1.29 enhancement freeze deadline on 01:00 UTC Friday, 6th October 2023. The status of this enhancement is marked as at risk. It looks like #4141 will address all of the requirements. Please make sure that the changes are merged in time. Let me know if I missed anything. Thanks!

[liggitt]

@sreeram-venkitesh #4141 is now merged. Can you confirm requirements for 1.29 enhancements freeze are met? Thanks!

[sreeram-venkitesh]

@liggitt Thanks for the ping! Yes all the requirements for the enhancements freeze are met. Updating status to Tracked for enhancements freeze.

[katcosgrove]

Hey there @enj @liggitt and @munnerz! 👋, v1.29 Docs Lead here.
Does this enhancement work planned for v1.29 require any new docs or modification to existing docs?
If so, please follows the steps here to open a PR against dev-1.29 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday, 19 October 2023.
Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.
Thank you!

[katcosgrove]

Hi again @munnerz @enj and @liggitt! The deadline to open a placeholder PR against k/website for required documentation is this Thursday, 19 October. Could you please update me on the status of docs for this enhancement? Thank you!

[munnerz]

Placeholder PR: kubernetes/website#43590

Please let me know if anything more is needed at this time! Thanks :)

[James-Quigley]

Hi @enj 👋 from the v1.29 Communications Release Team! We would like to check if you have any plans to publish blogs for this KEP regarding new features, removals, and deprecations for this release.
If so, you need to open a PR placeholder in the website repository.
The deadline will be on Tuesday 14th November 2023 (after the Docs deadline PR ready for review)
Here's the 1.29 Calendar

[sreeram-venkitesh]

Hey again @enj @munnerz 👋 v1.29 Enhancements team here,

Just checking in as we approach code freeze at 01:00 UTC Wednesday 1st November 2023 .

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

The status of this KEP is currently at risk for Code Freeze. Please let me know if there are other PRs in k/k we should be tracking for this KEP.

As always, we are here to help if any questions come up. Thanks!

[sreeram-venkitesh]

Hello @enj @munnerz 👋, 1.29 Enhancements team here.

With all the implementation(code related) PRs merged as per the issue description, this enhancement is now marked as tracked for code freeze for the 1.29 Code Freeze! 🚀 Are there any other PRs other than the following ones? If there are any other PRs that needs to be tracked, please let us know. Also please update the issue description with the following PRs:

• Including JTI & node reference in issued service account tokens (kep 4193) kubernetes#120780

The test freeze is 01:00 UTC Wednesday 15th November 2023 / 18:00 PDT Tuesday 14th November 2023. Please make sure all test PRs are merged in by then.

Please let me know if there are additional test PRs we should track. Thanks!

[liggitt]

docs PR reviewed by sig-auth reviewer, ready for docs review at kubernetes/website#43958

[liggitt]

Targeting beta in 1.30

[sreeram-venkitesh]

Hello @enj 👋, v1.30 Enhancements team here!

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 9th February 2024.

This enhancement is targeting for stage beta for v1.30 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.30.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

For this KEP, we would just need to update the following:

• Update the kep.yaml file to reflect the latest-milestone as 1.30 and stage as beta.
• Add production readiness reviewer for beta stage in the prod-readiness/sig-auth/4193.yaml

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[a-mccarthy]

hello @munnerz @liggitt, friendly reminder about the upcoming blog opt-in and placeholder deadline on July 3rd. Please open a blog placeholder PR if you are interested in contributing a blog.

[munnerz]

Sorry for the delay here, placeholder/draft PR opened: kubernetes/website#47017

[mickeyboxell]

Hey again @munnerz 👋 Kubernetes 1.31 Enhancements team here.

Just checking in as we approach code freeze at 02:00 UTC Wednesday 24th July 2024 / 19:00 PDT Tuesday 23rd July 2024.

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

Could you update the Issue description to include all the related PRs of this KEP and ensure they are merged before code freeze?

If you anticipate missing code freeze, you can file an [exception request](https://github.com/kubernetes/sig-release/blob/master/releases/EXCEPTIONS.md) in advance.

Also, please let me know if there are other PRs in k/k we should be tracking for this KEP.

As always, we are here to help if any questions come up. Thanks!

The status of this enhancement is marked as at risk for code freeze.

[fossedihelm]

Hey @enj, I would be interested in understanding what the current plans are. In detail, I would like to know if there is a possibility of graduating to GA this feature in 1.32. This feature is really important for KubeVirt; in particular, the main feature gate of our interest is ServiceAccountTokenNodeBinding. We plan to use that feature to fix kubevirt/kubevirt#9109, isolating virt-handler operability.
Can you share the plans, if there are any? Can we help in some way, if needed?
Thank you!

[mickeyboxell]

Hey @enj 👋 Kubernetes 1.31 Enhancements team here.

Following up on the message above as we approach code freeze at 02:00 UTC Wednesday 24th July 2024 / 19:00 PDT Tuesday 23rd July 2024. Please let me know if you have any questions.

[sreeram-venkitesh]

@enj @munnerz Following up again with a reminder since we're less than a day away from the code freeze deadline. Do we have a list of PRs that we can keep an eye on for tracking this KEP? Currently the KEP is still At Risk for Code Freeze.

[liggitt]

all the code changes are in (#4193 (comment)) - linked from description

[sreeram-venkitesh]

Promoting ServiceAccountTokenNodeBinding to beta for v1.31:

• KEP-4193: promote ServiceAccountTokenNodeBinding feature to beta kubernetes#125238
• KEP-4193: note ServiceAccountTokenNodeBinding being promoted to beta #4675

Thanks @liggitt! With all the PRs for 1.31 are merged, I'm marking this KEP as tracked for code freeze 🎉

[sreeram-venkitesh]

@munnerz @pegasas This KEP has an open PR for adding unit tests: kubernetes/kubernetes#121640. Please make sure to get this merged by the test freeze deadline (01:00 UTC Wednesday 31st July 2024 / 19:00 PDT Tuesday 30th July 2024)

[liggitt]

kubernetes/website#47017 replaced with kubernetes/website#47283 for 1.31 changes

[liggitt]

Required doc changes are merged

[liggitt]

Opting in for GA graduation of 3 feature gates in 1.32

[tjons]

/milestone clear (for 1.31)

[k8s-ci-robot]

@tjons: The provided milestone is not valid for this repository. Milestones in this repository: [v1.25, v1.27, v1.28, v1.29, v1.30, v1.31, v1.32, v1.33, v1.34]

Use /milestone clear to clear the milestone.

In response to this:

/milestone clear (for 1.31)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[tjons]

/milestone clear

[tjons]

/milestone clear

[tjons]

/milestone v1.32

[shecodesmagic]

Hello @enj 👋, v1.32 Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 11th October 2024 / 19:00 PDT Thursday 10th October 2024.

This enhancement is targeting for stage stable for v1.32 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.32.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline on Thursday 3rd October 2024 so that the PRR team has enough time to review your KEP.

For this KEP, we would need to update the following:

• KEP status is marked as implementable for latest-milestone: v1.32.
• Ensure that the KEP has undergone a production readiness review and has been merged into k/enhancements.

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

If you anticipate missing enhancements freeze, you can file an exception request in advance. Thank you!

[liggitt]

#4892 should address the outstanding items from #4193 (comment)

[shecodesmagic]

@liggitt

Here’s where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.32. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
• KEP readme has up-to-date graduation criteria.
• KEP has submitted a production readiness review request for approval and has a reviewer assigned.
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

With all the KEP requirements in place and merged into k/enhancements, this enhancement is all good for the upcoming enhancements freeze. 🚀

The status of this enhancement is marked as tracked for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!