Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

mv TokenRequest and TokenRequestProjection to GA #93258

Merged
merged 1 commit into from
Oct 30, 2020
Merged

mv TokenRequest and TokenRequestProjection to GA #93258

merged 1 commit into from
Oct 30, 2020

Conversation

zshihang
Copy link
Contributor

@zshihang zshihang commented Jul 20, 2020
edited
Loading

What type of PR is this?

/kind api-change

What this PR does / why we need it:
move TokenRequest and TokenRequestProjection features to GA in v1.20

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

+ `TokenRequest` and `TokenRequestProjection` features have been promoted to GA. This feature allows generating service account tokens that are not visible in Secret objects and are tied to the lifetime of a Pod object. See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection for details on configuring and using this feature. The `TokenRequest` and `TokenRequestProjection` feature gates will be removed in v1.21.
+ kubeadm's kube-apiserver Pod manifest now includes the following flags by default "--service-account-key-file", "--service-account-signing-key-file", "--service-account-issuer".

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

- [KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jul 20, 2020
@k8s-ci-robot
Copy link
Contributor

Hi @zshihang. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Jul 20, 2020
@zshihang
Copy link
Contributor Author

/assign @soltysh

@zshihang
Copy link
Contributor Author

/cc @mikedanese

@fejta-bot
Copy link

This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

@zshihang
Copy link
Contributor Author

/label api-review

@k8s-ci-robot k8s-ci-robot added the api-review Categorizes an issue or PR as actively needing an API review. label Jul 20, 2020
@mikedanese mikedanese assigned mikedanese and unassigned soltysh Jul 21, 2020
@mikedanese
Copy link
Member

@kubernetes/sig-auth-pr-reviews

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jul 21, 2020
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. area/apiserver area/test and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 27, 2020
@liggitt
Copy link
Member

liggitt commented Oct 30, 2020

/lgtm
/approve
/hold for @neolit123 ack on kubeadm bits

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels Oct 30, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, neolit123, zshihang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 30, 2020
@liggitt
Copy link
Member

liggitt commented Oct 30, 2020

@zshihang go ahead and open a WIP docs PR agains the https://github.com/kubernetes/website/tree/dev-1.20 branch to update https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection with the --api-audiences flag and the GA status.

@liggitt liggitt mentioned this pull request Oct 30, 2020
Merged
@zshihang
Copy link
Contributor Author

regarding the kubeadm, the only diff is the default value for issuer and necessary changes to pass unit test.

@liggitt
Copy link
Member

liggitt commented Oct 30, 2020

/hold cancel

based on #93258 (comment) and #93258 (comment)

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 30, 2020
@neolit123
Copy link
Member

Lgtm. Thanks for the updates.

@kikisdeliveryservice
Copy link
Member

Q: Is this related to an enhancement?

@k8s-ci-robot k8s-ci-robot merged commit bf67247 into kubernetes:master Oct 30, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.20 milestone Oct 30, 2020
@neolit123
Copy link
Member

neolit123 commented Oct 31, 2020
edited
Loading

@kikisdeliveryservice

hi, yes this is for:
https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md

@zshihang

could you please add the docs block as seen at the bottom here (the docs type is needed around the block):
https://raw.githubusercontent.com/kubernetes/kubernetes/master/.github/PULL_REQUEST_TEMPLATE.md

- [KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md

also could you please add some sort of a mention about kubeadm in the release-note:

kubeadm's kube-apiserver Pod manifest now includes the following flags by default "--service-account-key-file", "--service-account-signing-key-file", "--service-account-issuer".

@zshihang
Copy link
Contributor Author

@neolit123 added. thanks.

@kikisdeliveryservice
Copy link
Member

Hi all,

I don't see any open (or closed) issue 1205 nor is this enhancement tracked for 1.20 in the spreadsheet: http://bit.ly/k8s-1-20-enhancements

Can someone please explain what the tracking issue for this is? As this was not tracked and there was no underlying tracking issue an exception will need to be filed. See: https://github.com/kubernetes/sig-release/blob/master/releases/release_phases.md#exceptions

Thanks,
Kirsten
1.20 Enhancements Lead

@liggitt
Copy link
Member

liggitt commented Nov 2, 2020

Apologies for the disconnect. The KEP is at https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens and was updated with v1.20 plans prior to enhancements freeze in kubernetes/enhancements#1912

The KEP number came from the original PR that converted a pre-KEP design to KEP format (kubernetes/enhancements#1205)

@kikisdeliveryservice
Copy link
Member

Hi @liggitt

There is no tracking issue (which is required for all enhancements), and the enhancement is not being tracked by the release team for 1.20. The KEP is also misnumbered as the naming should be - as per the templates found here: https://github.com/kubernetes/enhancements/tree/master/keps/NNNN-kep-template

The requirement to have a 1.20 milestoned issue was also mentioned in my email on October 5 sent to k-dev: https://groups.google.com/g/kubernetes-dev/c/1KF6mmO1WsQ/m/IFWMkeKVCwAJ

Please open an exception request ASAP.

Thanks,
Kirsten

@liggitt
Copy link
Member

liggitt commented Nov 2, 2020
edited
Loading

There is no tracking issue (which is required for all enhancements), and the enhancement is not being tracked by the release team for 1.20. The KEP is also misnumbered as the naming should be - as per the templates found here: https://github.com/kubernetes/enhancements/tree/master/keps/NNNN-kep-template

Understood. The template/process has changed since this KEP was created, and work to sweep existing designs/KEPs that predated those changes has been inconsistent. This highlights a gap in the release process that relies on keeping multiple disconnected information sources (kep.yaml files, enhancements issues, tracking spreadsheet, etc) in sync manually.

Opened kubernetes/enhancements#2126 as a tracking issue and started the thread for the exception at https://groups.google.com/g/kubernetes-sig-release/c/VLiE7Lsy6Es

@liggitt liggitt mentioned this pull request Nov 2, 2020
Closed
@github-actions github-actions bot mentioned this pull request Nov 3, 2020
Open
This was referenced Nov 3, 2020
Merged
Closed
@ryojsb ryojsb mentioned this pull request Nov 14, 2020
Closed
@liggitt liggitt moved this from In progress to API review completed, 1.20 in API Reviews Nov 29, 2020
@neolit123 neolit123 mentioned this pull request Dec 3, 2020
Closed
@michaeljmarshall michaeljmarshall mentioned this pull request Apr 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neolit123 neolit123 neolit123 left review comments

@liggitt liggitt liggitt left review comments

@mikedanese mikedanese Awaiting requested review from mikedanese

Assignees

@neolit123 neolit123

@liggitt liggitt

@mikedanese mikedanese

Labels
api-review Categorizes an issue or PR as actively needing an API review. approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/kubeadm area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/storage Categorizes an issue or PR as relevant to SIG Storage. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
API Reviews
Status: API review completed, 1.20
SIG-Auth: Projected Service Account T...
1.20 - Done
Milestone
v1.20
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@zshihang @k8s-ci-robot @fejta-bot @mikedanese @neolit123 @liggitt @kikisdeliveryservice @soltysh