-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
no auto-generation of secret-based service account token #108309
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
do-not-merge/needs-kind
Indicates a PR lacks a `kind/foo` label and requires one.
do-not-merge/needs-sig
Indicates an issue or PR lacks a `sig/foo` label and requires one.
needs-triage
Indicates an issue or PR lacks a `triage/foo` label and requires one.
needs-priority
Indicates a PR lacks a `priority/foo` label and requires one.
release-note-action-required
Denotes a PR that introduces potentially breaking changes that require user action.
size/L
Denotes a PR that changes 100-499 lines, ignoring generated files.
kind/feature
Categorizes issue or PR as related to a new feature.
cncf-cla: yes
Indicates the PR's author has signed the CNCF CLA.
area/test
sig/apps
Categorizes an issue or PR as relevant to SIG Apps.
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
sig/testing
Categorizes an issue or PR as relevant to SIG Testing.
and removed
do-not-merge/needs-kind
Indicates a PR lacks a `kind/foo` label and requires one.
do-not-merge/needs-sig
Indicates an issue or PR lacks a `sig/foo` label and requires one.
labels
Feb 23, 2022
/cc @liggitt |
k8s-ci-robot
added
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
and removed
needs-priority
Indicates a PR lacks a `priority/foo` label and requires one.
labels
Feb 23, 2022
liggitt
reviewed
Feb 23, 2022
liggitt
reviewed
Feb 23, 2022
liggitt
reviewed
Feb 23, 2022
k8s-ci-robot
added
size/XL
Denotes a PR that changes 500-999 lines, ignoring generated files.
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
and removed
size/L
Denotes a PR that changes 100-499 lines, ignoring generated files.
labels
Feb 23, 2022
JoaoBraveCoding
added a commit
to JoaoBraveCoding/must-gather
that referenced
this pull request
Jun 15, 2022
problem: Since k8s 1.24 tokens for SA are not automatically generated [1] hence, it's not possible to get a SA token with the command "oc sa get-token default", this breaks the gather_monitoring script as we need the token to make http requests to prometheus solution: use instead the new command "oc create token default" [1] kubernetes/kubernetes#108309
krgostev
pushed a commit
to krgostev/gardener
that referenced
this pull request
Jul 5, 2022
* Extend docs to support kubernetes v1.24 and allow client creation * Adapt kubernetes feature gates ./hack/compare-k8s-feature-gates.sh 1.23 1.24 ✔ Feature gates added in 1.24 compared to 1.23: CSIMigrationRBD CronJobTimeZone LegacyServiceAccountTokenNoAutoGeneration MaxUnavailableStatefulSet MinDomainsInPodTopologySpread NetworkPolicyStatus NodeOutOfServiceVolumeDetach ServiceIPStaticSubrange Feature gates removed in 1.24 compared to 1.23: HugePageStorageMediumSize ImmutableEphemeralVolumes MigrationRBD NamespaceDefaultLabelName RuntimeClass SetHostnameAsFQDN StreamingProxyRedirects ValidateProxyRedirects WarningHeaders Feature gates locked to default in 1.24 compared to 1.23: CSIMigrationOpenStack CSIStorageCapacity CSRDuration ControllerManagerLeaderMigration DefaultPodTopologySpread EfficientWatchResumption IndexedJob NonPreemptingPriority PodAffinityNamespaceSelector PodOverhead PreferNominatedNode RemoveSelfLink ServiceLBNodePortControl ServiceLoadBalancerClass SuspendJob * Use 1.24 for local shoot * Drop removed flag --insecure-port for v1.24 ref kubernetes/kubernetes#106859 * Drop removed flag --port for v1.24 ref kubernetes/kubernetes#106860 * Remove deprecated usages of metadata.Selflink * Use 1.24 e2e test * Bump kindest/node image to v1.24 * Adapt changes for with k/k v1.24 Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount ref kubernetes/kubernetes#108309 * Add unit test
kahirokunn
added a commit
to kahirokunn/aws-ebs-csi-driver
that referenced
this pull request
Jun 15, 2023
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes > The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). (kubernetes/kubernetes#108309, [@zshihang](https://github.com/zshihang)) Since k8s 1.24, TOKEN is not mounted automatically. If you want to access with IRSA, you need to use a token. Signed-off-by: kahirokunn <okinakahiro@gmail.com>
kahirokunn
added a commit
to kahirokunn/aws-ebs-csi-driver
that referenced
this pull request
Jun 15, 2023
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes > The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). (kubernetes/kubernetes#108309, [@zshihang](https://github.com/zshihang)) Since k8s 1.24, TOKEN is not mounted automatically. If you want to access with IRSA, you need to use a token. Signed-off-by: kahirokunn <okinakahiro@gmail.com>
kahirokunn
added a commit
to kahirokunn/aws-ebs-csi-driver
that referenced
this pull request
Jun 15, 2023
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes > The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). (kubernetes/kubernetes#108309, [@zshihang](https://github.com/zshihang)) Since k8s 1.24, TOKEN is not mounted automatically. If you want to access with IRSA, you need to use a token. Signed-off-by: kahirokunn <okinakahiro@gmail.com>
kahirokunn
added a commit
to kahirokunn/aws-ebs-csi-driver
that referenced
this pull request
Jun 16, 2023
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes > The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). (kubernetes/kubernetes#108309, [@zshihang](https://github.com/zshihang)) Since k8s 1.24, TOKEN is not mounted automatically. If you want to access with IRSA, you need to use a token. Signed-off-by: kahirokunn <okinakahiro@gmail.com>
kahirokunn
added a commit
to kahirokunn/aws-ebs-csi-driver
that referenced
this pull request
Jun 16, 2023
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes > The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). (kubernetes/kubernetes#108309, [@zshihang](https://github.com/zshihang)) Since k8s 1.24, TOKEN is not mounted automatically. If you want to access with IRSA, you need to use a token. Signed-off-by: kahirokunn <okinakahiro@gmail.com>
weizhouapache
added a commit
to weizhouapache/cloudstack
that referenced
this pull request
Jul 24, 2023
Since Kubernetes v1.24.0, there is no auto-generation of secret-based service account token due to security reason. see kubernetes/kubernetes#108309 To access kubernetes dashboard, users need to create a service account and an optional long-lived Bearer Token for the service account.
12 tasks
weizhouapache
added a commit
to apache/cloudstack
that referenced
this pull request
Jul 25, 2023
Since Kubernetes v1.24.0, there is no auto-generation of secret-based service account token due to security reason. see kubernetes/kubernetes#108309 To access kubernetes dashboard, users need to create a service account and an optional long-lived Bearer Token for the service account.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
approved
Indicates a PR has been approved by an approver from all required OWNERS files.
area/test
cncf-cla: yes
Indicates the PR's author has signed the CNCF CLA.
kind/feature
Categorizes issue or PR as related to a new feature.
lgtm
"Looks good to me", indicates that a PR is ready to be merged.
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
release-note-action-required
Denotes a PR that introduces potentially breaking changes that require user action.
sig/api-machinery
Categorizes an issue or PR as relevant to SIG API Machinery.
sig/apps
Categorizes an issue or PR as relevant to SIG Apps.
sig/auth
Categorizes an issue or PR as relevant to SIG Auth.
sig/testing
Categorizes an issue or PR as relevant to SIG Testing.
size/XL
Denotes a PR that changes 500-999 lines, ignoring generated files.
triage/accepted
Indicates an issue or PR is ready to be actively worked on.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind feature
What this PR does / why we need it:
stops auto-generation of legacy tokens because they are less secure
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
-[KEP]: kubernetes/enhancements#2800