Projected service account tokens for Kubelet image credential providers #4412
Assignees
Labels
lead-opted-in
Denotes that an issue has been opted in to a release
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
stage/beta
Denotes an issue tracking an enhancement targeted for Beta status
Milestone
Comments
|
/sig auth |
k8s-ci-robot
added
needs-sig
|
Hello @aramase and @enj 👋, Enhancements team here. Just checking in as we approach enhancements freeze on 02:00 UTC Friday 9th February 2024. This enhancement is targeting for stage Here's where this enhancement currently stands:
For this KEP, we would just need to update the following:
The status of this enhancement is marked as |
salehsedghpour
moved this to At Risk for Enhancements Freeze
in 1.30 Enhancements Tracking
|
cc @mikebrow @SergeyKanzhelev @ndixita @ruiwen-zhao @harche @haircommander Will have an KEP open for this soon. |
|
Per the slack thread conversation, I am moving this KEP out of the v1.30 release. |
enj
removed
the
lead-opted-in
|
Hello @enj, thanks for the update. I'm changing the status of this enhancement to |
salehsedghpour
moved this from At Risk for Enhancements Freeze
to Deferred
in 1.30 Enhancements Tracking
salehsedghpour
moved this from Deferred
to Removed from Milestone
in 1.30 Enhancements Tracking
|
/milestone clear |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
Hey again @aramase 👋, v1.33 Enhancements team here, Just checking in as we approach code freeze at 02:00 UTC Friday 21st March 2025 / 19:00 PDT Thursday 20th March 2025. Here's where this enhancement currently stands:
For this enhancement, it looks like the following PRs need to be merged before code freeze (and we need to update the Issue description to include all the related PRs of this KEP): If you anticipate missing code freeze, you can file an exception request in advance. Also, please let me know if there are other PRs in k/k we should be tracking for this KEP. The status of this enhancement is marked as As always, we are here to help if any questions come up. Thanks! |
bianbbc87
moved this from Tracked for enhancements freeze
to At risk for code freeze
in 1.33 Enhancements Tracking
bianbbc87
moved this from At risk for code freeze
to Tracked for code freeze
in 1.33 Enhancements Tracking
|
@aramase Friendly reminder that the deadline to have the doc PR ready for review is today Tuesday 25th March 2025 18:00 PDT |
rayandas
moved this from Tracked for code freeze
to At Risk for Docs Freeze
in 1.33 Enhancements Tracking
michellengnx
moved this from At Risk for Docs Freeze
to Tracked for Docs Freeze
in 1.33 Enhancements Tracking
liggitt
added
stage/beta
|
Targeting beta for 1.34 |
patrickdillon
added a commit
to patrickdillon/installer
that referenced
this issue
May 15, 2025
Removing the identity from the Azure nodes in openshift#9538 broke the acr-credentials-provider, which allows pulling images from private registries in Azure. Instead of re-adding the identity attached to the node, we can add a secret which will add credentials to the cloud provider config. Upstream is working on a solution that will use credentials requests. Once that is landed, we can remove this. Track: kubernetes/enhancements#4412
jenshu
removed
the
tracked/yes
patrickdillon
added a commit
to patrickdillon/installer
that referenced
this issue
May 19, 2025
openshift#9538 switched the installer to not create user-assigned identities for VMs, and exposed an API for users to bring-their-own identities and attach them to nodes. OCPBUGS-56008 shows that the kubelet still depends on the node identity to pull images from Azure Container Registry (ACR). To resolve this issue, this commit sets the default back to using an installer-generated identity attached to the node. The API is still exposed in the install config, so users who do not utilize ACR can set the identity type to None and install with less privileged credentials. When upstream work lands to allow these credentials to be managed via credentialsrequests, we can go set the default identity to None and remove the logic for creating identities. The upstream work is tracked here and looks like it should be available in the next release: kubernetes/enhancements#4412
patrickdillon
added a commit
to patrickdillon/installer
that referenced
this issue
May 19, 2025
openshift#9538 switched the installer to not create user-assigned identities for VMs, and exposed an API for users to bring-their-own identities and attach them to nodes. OCPBUGS-56008 shows that the kubelet still depends on the node identity to pull images from Azure Container Registry (ACR). To resolve this issue, this commit sets the default back to using an installer-generated identity attached to the node. The API is still exposed in the install config, so users who do not utilize ACR can set the identity type to None and install with less privileged credentials. When upstream work lands to allow these credentials to be managed via credentialsrequests, we can go set the default identity to None and remove the logic for creating identities. The upstream work is tracked here and looks like it should be available in the next release: kubernetes/enhancements#4412
patrickdillon
added a commit
to patrickdillon/installer
that referenced
this issue
May 20, 2025
openshift#9538 switched the installer to not create user-assigned identities for VMs, and exposed an API for users to bring-their-own identities and attach them to nodes. OCPBUGS-56008 shows that the kubelet still depends on the node identity to pull images from Azure Container Registry (ACR). To resolve this issue, this commit sets the default back to using an installer-generated identity attached to the node. The API is still exposed in the install config, so users who do not utilize ACR can set the identity type to None and install with less privileged credentials. When upstream work lands to allow these credentials to be managed via credentialsrequests, we can go set the default identity to None and remove the logic for creating identities. The upstream work is tracked here and looks like it should be available in the next release: kubernetes/enhancements#4412
patrickdillon
added a commit
to patrickdillon/installer
that referenced
this issue
May 20, 2025
openshift#9538 switched the installer to not create user-assigned identities for VMs, and exposed an API for users to bring-their-own identities and attach them to nodes. OCPBUGS-56008 shows that the kubelet still depends on the node identity to pull images from Azure Container Registry (ACR). To resolve this issue, this commit sets the default back to using an installer-generated identity attached to the node. The API is still exposed in the install config, so users who do not utilize ACR can set the identity type to None and install with less privileged credentials. When upstream work lands to allow these credentials to be managed via credentialsrequests, we can go set the default identity to None and remove the logic for creating identities. The upstream work is tracked here and looks like it should be available in the next release: kubernetes/enhancements#4412
openshift-cherrypick-robot
pushed a commit
to openshift-cherrypick-robot/installer
that referenced
this issue
May 21, 2025
openshift#9538 switched the installer to not create user-assigned identities for VMs, and exposed an API for users to bring-their-own identities and attach them to nodes. OCPBUGS-56008 shows that the kubelet still depends on the node identity to pull images from Azure Container Registry (ACR). To resolve this issue, this commit sets the default back to using an installer-generated identity attached to the node. The API is still exposed in the install config, so users who do not utilize ACR can set the identity type to None and install with less privileged credentials. When upstream work lands to allow these credentials to be managed via credentialsrequests, we can go set the default identity to None and remove the logic for creating identities. The upstream work is tracked here and looks like it should be available in the next release: kubernetes/enhancements#4412
patrickdillon
added a commit
to patrickdillon/installer
that referenced
this issue
May 21, 2025
openshift#9538 switched the installer to not create user-assigned identities for VMs, and exposed an API for users to bring-their-own identities and attach them to nodes. OCPBUGS-56008 shows that the kubelet still depends on the node identity to pull images from Azure Container Registry (ACR). To resolve this issue, this commit sets the default back to using an installer-generated identity attached to the node. The API is still exposed in the install config, so users who do not utilize ACR can set the identity type to None and install with less privileged credentials. When upstream work lands to allow these credentials to be managed via credentialsrequests, we can go set the default identity to None and remove the logic for creating identities. The upstream work is tracked here and looks like it should be available in the next release: kubernetes/enhancements#4412
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Enhancement Description
k/enhancements) update PR(s):k/k) update PR(s):k/website) update PR(s):k/enhancements) update PR(s):k/k) update PR(s):k/website) update(s):The text was updated successfully, but these errors were encountered: