Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token request: proactively remove unused secret based SA tokens #77600

Closed
enj opened this issue May 8, 2019 · 9 comments
Closed

Token request: proactively remove unused secret based SA tokens #77600

enj opened this issue May 8, 2019 · 9 comments
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
SIG-Auth: Projected Service Account T... SIG Auth Old

Comments

@enj
Copy link
Member

enj commented May 8, 2019

Once it is possible to opt out of secret based SA tokens, any preexisting secrets should be removed.

Action items:

  1. Clean up legacy tokens for the controller service accounts after a release

/sig auth
/sig api-machinery

@kubernetes/sig-auth-feature-requests

xref: #70679 #71275 #72179 #77599

/priority important-longterm
@enj enj added the kind/feature Categorizes issue or PR as related to a new feature. label May 8, 2019
@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. labels May 8, 2019
@enj enj mentioned this issue May 8, 2019
Closed
@jennybuckley
Copy link

/remove-sig api-machinery

@k8s-ci-robot k8s-ci-robot removed the sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. label May 9, 2019
@WanLinghao
Copy link
Contributor

Since patch #72179 would be contained in v1.15, does that mean we should start clean work after v1.15 released?

Clean up legacy tokens for the controller service accounts after a release

@liggitt
Copy link
Member

liggitt commented May 10, 2019

We can start considering how we'd enable a service account to indicate it didn't want secret tokens in 1.15, but yes, we would not have the controller-manager switch to using that until at least 1.16

@fejta-bot

This comment has been minimized.

Sign in to view
@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Aug 8, 2019
@fejta-bot

This comment has been minimized.

Sign in to view
@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Sep 7, 2019
@krmayankk
Copy link

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Sep 7, 2019
@krmayankk
Copy link

/lifecycle frozen

@k8s-ci-robot k8s-ci-robot added the lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. label Sep 7, 2019
@liggitt liggitt added this to Tracking issues / designs in SIG-Auth: Projected Service Account Tokens Feb 8, 2021
@liggitt liggitt moved this from Tracking issues / designs to Backlog in SIG-Auth: Projected Service Account Tokens Feb 8, 2021
@enj enj added this to Backlog in SIG Auth Old Apr 9, 2021
@enj enj moved this from Needs Triage to Backlog in SIG Auth Old May 24, 2021
@enj enj moved this from Backlog to Needs KEP in SIG Auth Old Jul 13, 2021
@rfranzke rfranzke mentioned this issue Oct 8, 2021
Merged
@liggitt
Copy link
Member

liggitt commented Nov 4, 2021

Stopping auto-generating new secret-based tokens and removing existing unused secret-based tokens is being addressed in KEP 2799 (kubernetes/enhancements#2800)

/close

@k8s-ci-robot
Copy link
Contributor

@liggitt: Closing this issue.

In response to this:

Stopping auto-generating new secret-based tokens and removing existing unused secret-based tokens is being addressed in KEP 2799 (kubernetes/enhancements#2800)

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

SIG-Auth: Projected Service Account Tokens automation moved this from Backlog to 1.22 - Done Nov 4, 2021
SIG Auth Old automation moved this from Needs KEP to Closed / Done Nov 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
SIG Auth
Archived in project
SIG-Auth: Projected Service Account T...
1.22 - Done
SIG Auth Old
Closed / Done
Milestone
No milestone
Development

No branches or pull requests
7 participants
@liggitt @enj @WanLinghao @krmayankk @k8s-ci-robot @fejta-bot @jennybuckley