no auto-generation of secret-based service account token #108309
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
do-not-merge/needs-kind
|
/cc @liggitt |
k8s-ci-robot
added
triage/accepted
liggitt
reviewed
Feb 23, 2022
liggitt
reviewed
Feb 23, 2022
liggitt
reviewed
Feb 23, 2022
k8s-ci-robot
added
size/XL
JoaoBraveCoding
added a commit
to JoaoBraveCoding/must-gather
that referenced
this pull request
Jun 15, 2022
problem: Since k8s 1.24 tokens for SA are not automatically generated [1] hence, it's not possible to get a SA token with the command "oc sa get-token default", this breaks the gather_monitoring script as we need the token to make http requests to prometheus solution: use instead the new command "oc create token default" [1] kubernetes/kubernetes#108309
krgostev
pushed a commit
to krgostev/gardener
that referenced
this pull request
Jul 5, 2022
* Extend docs to support kubernetes v1.24 and allow client creation * Adapt kubernetes feature gates ./hack/compare-k8s-feature-gates.sh 1.23 1.24 ✔ Feature gates added in 1.24 compared to 1.23: CSIMigrationRBD CronJobTimeZone LegacyServiceAccountTokenNoAutoGeneration MaxUnavailableStatefulSet MinDomainsInPodTopologySpread NetworkPolicyStatus NodeOutOfServiceVolumeDetach ServiceIPStaticSubrange Feature gates removed in 1.24 compared to 1.23: HugePageStorageMediumSize ImmutableEphemeralVolumes MigrationRBD NamespaceDefaultLabelName RuntimeClass SetHostnameAsFQDN StreamingProxyRedirects ValidateProxyRedirects WarningHeaders Feature gates locked to default in 1.24 compared to 1.23: CSIMigrationOpenStack CSIStorageCapacity CSRDuration ControllerManagerLeaderMigration DefaultPodTopologySpread EfficientWatchResumption IndexedJob NonPreemptingPriority PodAffinityNamespaceSelector PodOverhead PreferNominatedNode RemoveSelfLink ServiceLBNodePortControl ServiceLoadBalancerClass SuspendJob * Use 1.24 for local shoot * Drop removed flag --insecure-port for v1.24 ref kubernetes/kubernetes#106859 * Drop removed flag --port for v1.24 ref kubernetes/kubernetes#106860 * Remove deprecated usages of metadata.Selflink * Use 1.24 e2e test * Bump kindest/node image to v1.24 * Adapt changes for with k/k v1.24 Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount ref kubernetes/kubernetes#108309 * Add unit test
kahirokunn
added a commit
to kahirokunn/aws-ebs-csi-driver
that referenced
this pull request
Jun 15, 2023
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes > The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). (kubernetes/kubernetes#108309, [@zshihang](https://github.com/zshihang)) Since k8s 1.24, TOKEN is not mounted automatically. If you want to access with IRSA, you need to use a token. Signed-off-by: kahirokunn <okinakahiro@gmail.com>
kahirokunn
added a commit
to kahirokunn/aws-ebs-csi-driver
that referenced
this pull request
Jun 15, 2023
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes > The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). (kubernetes/kubernetes#108309, [@zshihang](https://github.com/zshihang)) Since k8s 1.24, TOKEN is not mounted automatically. If you want to access with IRSA, you need to use a token. Signed-off-by: kahirokunn <okinakahiro@gmail.com>
kahirokunn
added a commit
to kahirokunn/aws-ebs-csi-driver
that referenced
this pull request
Jun 15, 2023
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes > The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). (kubernetes/kubernetes#108309, [@zshihang](https://github.com/zshihang)) Since k8s 1.24, TOKEN is not mounted automatically. If you want to access with IRSA, you need to use a token. Signed-off-by: kahirokunn <okinakahiro@gmail.com>
kahirokunn
added a commit
to kahirokunn/aws-ebs-csi-driver
that referenced
this pull request
Jun 16, 2023
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes > The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). (kubernetes/kubernetes#108309, [@zshihang](https://github.com/zshihang)) Since k8s 1.24, TOKEN is not mounted automatically. If you want to access with IRSA, you need to use a token. Signed-off-by: kahirokunn <okinakahiro@gmail.com>
kahirokunn
added a commit
to kahirokunn/aws-ebs-csi-driver
that referenced
this pull request
Jun 16, 2023
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes > The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). (kubernetes/kubernetes#108309, [@zshihang](https://github.com/zshihang)) Since k8s 1.24, TOKEN is not mounted automatically. If you want to access with IRSA, you need to use a token. Signed-off-by: kahirokunn <okinakahiro@gmail.com>
weizhouapache
added a commit
to weizhouapache/cloudstack
that referenced
this pull request
Jul 24, 2023
Since Kubernetes v1.24.0, there is no auto-generation of secret-based service account token due to security reason. see kubernetes/kubernetes#108309 To access kubernetes dashboard, users need to create a service account and an optional long-lived Bearer Token for the service account.
12 tasks
weizhouapache
added a commit
to apache/cloudstack
that referenced
this pull request
Jul 25, 2023
Since Kubernetes v1.24.0, there is no auto-generation of secret-based service account token due to security reason. see kubernetes/kubernetes#108309 To access kubernetes dashboard, users need to create a service account and an optional long-lived Bearer Token for the service account.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
What this PR does / why we need it:
stops auto-generation of legacy tokens because they are less secure
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
-[KEP]: kubernetes/enhancements#2800