-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add command to request a bound service account token #107880
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
release-note
Denotes a PR that will be considered when it comes time to generate release notes.
kind/feature
Categorizes issue or PR as related to a new feature.
size/L
Denotes a PR that changes 100-499 lines, ignoring generated files.
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
sig/cli
Categorizes an issue or PR as relevant to SIG CLI.
cncf-cla: yes
Indicates the PR's author has signed the CNCF CLA.
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
needs-priority
Indicates a PR lacks a `priority/foo` label and requires one.
labels
Jan 31, 2022
liggitt
changed the title
Add command to request a bound service account token
WIP - Add command to request a bound service account token
Jan 31, 2022
k8s-ci-robot
added
do-not-merge/work-in-progress
Indicates that a PR should not merge because it is a work in progress.
approved
Indicates a PR has been approved by an approver from all required OWNERS files.
area/kubectl
labels
Jan 31, 2022
liggitt
force-pushed
the
kubectl-auth-token
branch
from
January 31, 2022 17:31
438704a
to
68f4ab2
Compare
/retest |
unsure whether we want this here or under |
deads2k
reviewed
Feb 1, 2022
/assign @micahhausler (wait to review until I relocate this to |
liggitt
force-pushed
the
kubectl-auth-token
branch
6 times, most recently
from
February 6, 2022 20:29
b358c71
to
9900fec
Compare
k8s-ci-robot
added
area/test
sig/testing
Categorizes an issue or PR as relevant to SIG Testing.
labels
Feb 6, 2022
liggitt
added
the
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
label
Feb 6, 2022
k8s-ci-robot
removed
the
needs-priority
Indicates a PR lacks a `priority/foo` label and requires one.
label
Feb 6, 2022
zshihang
reviewed
Feb 7, 2022
zshihang
reviewed
Feb 7, 2022
liggitt
force-pushed
the
kubectl-auth-token
branch
from
February 7, 2022 18:12
cd44019
to
6c252f7
Compare
this new command would be very useful. /lgtm |
k8s-ci-robot
added
the
lgtm
"Looks good to me", indicates that a PR is ready to be merged.
label
Feb 7, 2022
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
Indicates that a PR should not merge because someone has issued a /hold command.
label
Feb 7, 2022
deads2k
reviewed
Feb 9, 2022
deads2k
reviewed
Feb 9, 2022
liggitt
force-pushed
the
kubectl-auth-token
branch
from
February 9, 2022 19:06
6c252f7
to
fca9b1d
Compare
k8s-ci-robot
removed
the
lgtm
"Looks good to me", indicates that a PR is ready to be merged.
label
Feb 9, 2022
dropped uid precondition / population bits |
/lgtm |
k8s-ci-robot
added
the
lgtm
"Looks good to me", indicates that a PR is ready to be merged.
label
Feb 9, 2022
liggitt
removed
the
do-not-merge/hold
Indicates that a PR should not merge because someone has issued a /hold command.
label
Feb 9, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
approved
Indicates a PR has been approved by an approver from all required OWNERS files.
area/dependency
Issues or PRs related to dependency changes
area/kubectl
area/test
cncf-cla: yes
Indicates the PR's author has signed the CNCF CLA.
kind/feature
Categorizes issue or PR as related to a new feature.
lgtm
"Looks good to me", indicates that a PR is ready to be merged.
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
release-note
Denotes a PR that will be considered when it comes time to generate release notes.
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
sig/cli
Categorizes an issue or PR as relevant to SIG CLI.
sig/testing
Categorizes an issue or PR as relevant to SIG Testing.
size/XL
Denotes a PR that changes 500-999 lines, ignoring generated files.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
What this PR does / why we need it:
Default RBAC policy change:
edit
andadmin
roles. These roles already have full access to service account credentials via secrets, and will be able to get tokens via manually created token secrets in the future, and can create pods that exfiltrate injected tokens. Giving them direct access to tokenrequest is not a practical escalation from their current permissions.TokenRequest endpoint changes:
Kubectl changes:
kubectl get secret "$(kubectl get serviceaccount default -o jsonpath='{.secrets[0].name}')"
xref https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2799-reduction-of-secret-based-service-account-token
TODO:
kubectl create token
serviceaccounts/token
permissions)Does this PR introduce a user-facing change?
/cc @deads2k @zshihang @soltysh
/sig auth cli