Projected service account tokens for Kubelet image credential providers #4412
Description
Enhancement Description
- One-line enhancement description (can be used as a release note): Projected service account tokens for authenticated image pulls via kubelet image credential providers
- Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4412-projected-service-account-tokens-for-kubelet-image-credential-providers/README.md
- Discussion Link:
- Primary contact (assignee): @aramase @enj @mainred
- Responsible SIGs: sig-auth, sig-node
- Enhancement target (which target equals to which milestone):
- Alpha release target (x.y): v1.33
- Beta release target (x.y): v1.34
- Stable release target (x.y):
- Alpha
- KEP (
k/enhancements) update PR(s): - Code (
k/k) update PR(s):- credential provider config: detect typos kubernetes#128062
- Enforce service account node audience restriction kubernetes#128077
- KSA token for Kubelet image credential providers alpha kubernetes#128372
- Fix service account node audience restriction for in-tree pv to csi migration kubernetes#129993
- credential provider config: validate duplicate names early and preserve provider order kubernetes#129669
- Enable ServiceAccountNodeAudienceRestriction feature gate by default in v1.33 kubernetes#130017
- Enable dynamic configuration of service account names and audiences for token requests in node audience restriction kubernetes#130485
- Define type alias for getServiceAccount function kubernetes#130749
- Add unit tests for credential provider in service account mode kubernetes#130763
- Docs (
k/website) update PR(s):
- KEP (
- Beta
- KEP (
k/enhancements) update PR(s): - Code (
k/k) update PR(s):- Add ServiceAccountTokenCacheType support to credential provider plugin kubernetes#132617
- Make kubelet token cache UID-aware to prevent stale tokens after service account recreation kubernetes#132803
- Enable image pull credential verification with service account–based credential providers kubernetes#132771
- Add
kubelet_credential_provider_config_infometric kubernetes#133016 - Mark KubeletServiceAccountTokenForCredentialProviders feature gate as beta kubernetes#133017
- Docs (
k/website) update(s):
- KEP (
Metadata
Metadata
Labels
Type
Projects
Status