Bound service account token improvements

[enj]

Enhancement Description

• One-line enhancement description (can be used as a release note): Bound service account token improvements
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4193-bound-service-account-token-improvements/
• Discussion Link: Discussion Link: 2023-08-16 2023-08-02
• Primary contact (assignee): @enj
• Responsible SIGs: Auth
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): v1.29
  • Beta release target (x.y): v1.30, v1.31
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s): KEP-4193: bound service account token improvements #4141
  • Code (k/k) update PR(s): Including JTI & node reference in issued service account tokens (kep 4193) kubernetes#120780
  • Docs (k/website) update PR(s): KEP-4193: bound service account token improvements website#43958
• Beta
  • KEP (k/enhancements) update PR(s):
    • KEP-4193: Update milestone for v1.30 & clarify latest state #4470
    • KEP-4193: Update kep to beta #4498
    • KEP-4193: Mark as updated in 1.31 #4724
  • Code (k/k) update PR(s):
    • KEP-4193: promote ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo and ServiceAccountTokenNodeBindingValidation to beta kubernetes#123135
    • use authentication.kubernetes.io/issued-credential-id audit annotation in serviceaccount token registry endpoint kubernetes#123098
  • Docs (k/website) update(s):
    • Make KEP-4193 documentation updates website#45292

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[sreeram-venkitesh]

Hello @enj 👋, v1.29 Enhancements team here.

Just checking in as we approach enhancements freeze on 01:00 UTC, Friday, 6th October, 2023.

This enhancement is targeting for stage alpha for v1.29 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.29. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

For this KEP, everything seems to be done in #4141. Please make sure that the PR is merged in time.

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[sreeram-venkitesh]

Hi @enj, checking in once more as we approach the 1.29 enhancement freeze deadline on 01:00 UTC Friday, 6th October 2023. The status of this enhancement is marked as at risk. It looks like #4141 will address all of the requirements. Please make sure that the changes are merged in time. Let me know if I missed anything. Thanks!

[liggitt]

@sreeram-venkitesh #4141 is now merged. Can you confirm requirements for 1.29 enhancements freeze are met? Thanks!

[sreeram-venkitesh]

@liggitt Thanks for the ping! Yes all the requirements for the enhancements freeze are met. Updating status to Tracked for enhancements freeze.

[katcosgrove]

Hey there @enj @liggitt and @munnerz! 👋, v1.29 Docs Lead here.
Does this enhancement work planned for v1.29 require any new docs or modification to existing docs?
If so, please follows the steps here to open a PR against dev-1.29 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday, 19 October 2023.
Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.
Thank you!

[katcosgrove]

Hi again @munnerz @enj and @liggitt! The deadline to open a placeholder PR against k/website for required documentation is this Thursday, 19 October. Could you please update me on the status of docs for this enhancement? Thank you!

[munnerz]

Placeholder PR: kubernetes/website#43590

Please let me know if anything more is needed at this time! Thanks :)

[James-Quigley]

Hi @enj 👋 from the v1.29 Communications Release Team! We would like to check if you have any plans to publish blogs for this KEP regarding new features, removals, and deprecations for this release.
If so, you need to open a PR placeholder in the website repository.
The deadline will be on Tuesday 14th November 2023 (after the Docs deadline PR ready for review)
Here's the 1.29 Calendar

[sreeram-venkitesh]

Hey again @enj @munnerz 👋 v1.29 Enhancements team here,

Just checking in as we approach code freeze at 01:00 UTC Wednesday 1st November 2023 .

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

The status of this KEP is currently at risk for Code Freeze. Please let me know if there are other PRs in k/k we should be tracking for this KEP.

As always, we are here to help if any questions come up. Thanks!

[sreeram-venkitesh]

Hello @enj @munnerz 👋, 1.29 Enhancements team here.

With all the implementation(code related) PRs merged as per the issue description, this enhancement is now marked as tracked for code freeze for the 1.29 Code Freeze! 🚀 Are there any other PRs other than the following ones? If there are any other PRs that needs to be tracked, please let us know. Also please update the issue description with the following PRs:

• Including JTI & node reference in issued service account tokens (kep 4193) kubernetes#120780

The test freeze is 01:00 UTC Wednesday 15th November 2023 / 18:00 PDT Tuesday 14th November 2023. Please make sure all test PRs are merged in by then.

Please let me know if there are additional test PRs we should track. Thanks!

[liggitt]

docs PR reviewed by sig-auth reviewer, ready for docs review at kubernetes/website#43958

[liggitt]

Targeting beta in 1.30

[sreeram-venkitesh]

Hello @enj 👋, v1.30 Enhancements team here!

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 9th February 2024.

This enhancement is targeting for stage beta for v1.30 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.30.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

For this KEP, we would just need to update the following:

• Update the kep.yaml file to reflect the latest-milestone as 1.30 and stage as beta.
• Add production readiness reviewer for beta stage in the prod-readiness/sig-auth/4193.yaml

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[munnerz]

Opened a placeholder PR here - thanks for the reminder! kubernetes/website#45292

[sreeram-venkitesh]

Hey again @enj @munnerz 👋 1.30 Enhancements team here,

Just checking in as we approach code freeze at 02:00 UTC Wednesday 6th March 2024 .

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this enhancement, it looks like the following PRs are open and need to be merged before code freeze (and we need to update the Issue description to include all the related PRs of this KEP):

• KEP-4193: promote ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo and ServiceAccountTokenNodeBindingValidation to beta kubernetes#123135

Currently I'm marking this KEP as At Risk for Code Freeze. Please let me know if there are other PRs in k/k we should be tracking for this KEP. As always, we are here to help if any questions come up. Thanks!

[liggitt]

all code PRs for 1.30 / beta are linked in the description and merged

[sreeram-venkitesh]

Marked as Tracked for code freeze! Thank you!

[sreeram-venkitesh]

Hi @enj, @liggitt and @munnerz 👋, 1.31 Enhancements Lead here.

If you wish to progress this enhancement in v1.31, please have the SIG lead opt-in your enhancement by adding the lead-opted-in label and set the milestone to v1.31 before the Production Readiness Review Freeze.

/remove-label lead-opted-in

[liggitt]

/milestone v1.31
/label lead-opted-in

[munnerz]

Promoting ServiceAccountTokenNodeBinding to beta for v1.31:

• KEP-4193: promote ServiceAccountTokenNodeBinding feature to beta kubernetes#125238
• KEP-4193: note ServiceAccountTokenNodeBinding being promoted to beta #4675

[mickeyboxell]

Hi @munnerz 👋 v1.31 Enhancements team here.

I wanted to check in as we approach the enhancements freeze on 02:00 UTC Friday 14th June 2024 / 19:00 PDT Thursday 13th June 2024.

This enhancement is targeting beta for v1.31. Please correct me if that isn't the case.

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: v1.31. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here). If your production readiness review is not completed yet, please make sure to fill the production readiness questionnaire in your KEP by the PRR Freeze deadline so that the PRR team has enough time to review your KEP before the enhancements freeze.

For this KEP, we need to do the following:

• Cut a PR with the appropriate changes to the KEP readme and kep.yaml and ensure the PR is merged prior to the enhancements freeze.
• Please share a link to the PRR approval and if it has not yet been approved make sure to do so by the deadline mentioned above.
• Please update the issue description with the links to the PR.

The status of this enhancement is marked as at risk for enhancement freeze. We can mark it as tracked as soon as the above changes are merged. Please make sure to get this done before the enhancements freeze.

If you anticipate missing enhancements freeze, you can file an exception request in advance. Let me know if you have any questions! Thank you!

[liggitt]

@munnerz can you update https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4193-bound-service-account-token-improvements/kep.yaml#L26 to 1.31

Once that is done, as far as I know, all of the items in #4193 (comment) will be complete

[MaryamTavakkoli]

Hello @munnerz @liggitt @enj 👋, 1.31 Docs Shadow here.
Does this enhancement work planned for 1.31 require any new docs or modifications to existing docs?
If so, please follow the steps here to open a PR against the dev-1.31 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday, June 27, 2024, 18:00 PDT.
Also, take a look at Documenting for a release to get yourself familiarised with the docs requirement for the release.
Thank you!

[liggitt]

@mickeyboxell all criteria for 1.31 should be met at this point, please confirm

[sreeram-venkitesh]

Marking the KEP as tracked for enhancements freeze, thanks @liggitt @munnerz!

[a-mccarthy]

Hi @munnerz @liggitt,

👋 from the v1.31 Communications Team! We'd love for you to opt in to write a feature blog about your enhancement!
Some reasons why you might want to write a blog for this feature include (but are not limited to) if this introduces breaking changes, is important to our users, or has been in progress for a long time and is graduating.

To opt in, let us know and open a Feature Blog placeholder PR against the website repository by 3rd July, 2024. For more information about writing a blog see the blog contribution guidelines.

Note: In your placeholder PR, use XX characters for the blog date in the front matter and file name. We will work with you on updating the PR with the publication date once we have a final number of feature blogs for this release.

[MaryamTavakkoli]

Hello @munnerz @liggitt @enj,
This is a friendly reminder that the deadline for the draft Doc PR is tomorrow, Thursday, June 27, 2024, 18:00 PDT.

[a-mccarthy]

hello @munnerz @liggitt, friendly reminder about the upcoming blog opt-in and placeholder deadline on July 3rd. Please open a blog placeholder PR if you are interested in contributing a blog.

[munnerz]

Sorry for the delay here, placeholder/draft PR opened: kubernetes/website#47017

[mickeyboxell]

Hey again @munnerz 👋 Kubernetes 1.31 Enhancements team here.

Just checking in as we approach code freeze at 02:00 UTC Wednesday 24th July 2024 / 19:00 PDT Tuesday 23rd July 2024.

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

Could you update the Issue description to include all the related PRs of this KEP and ensure they are merged before code freeze?

If you anticipate missing code freeze, you can file an [exception request](https://github.com/kubernetes/sig-release/blob/master/releases/EXCEPTIONS.md) in advance.

Also, please let me know if there are other PRs in k/k we should be tracking for this KEP.

As always, we are here to help if any questions come up. Thanks!

The status of this enhancement is marked as at risk for code freeze.

[fossedihelm]

Hey @enj, I would be interested in understanding what the current plans are. In detail, I would like to know if there is a possibility of graduating to GA this feature in 1.32. This feature is really important for KubeVirt; in particular, the main feature gate of our interest is ServiceAccountTokenNodeBinding. We plan to use that feature to fix kubevirt/kubevirt#9109, isolating virt-handler operability.
Can you share the plans, if there are any? Can we help in some way, if needed?
Thank you!

[mickeyboxell]

Hey @enj 👋 Kubernetes 1.31 Enhancements team here.

Following up on the message above as we approach code freeze at 02:00 UTC Wednesday 24th July 2024 / 19:00 PDT Tuesday 23rd July 2024. Please let me know if you have any questions.