Added the note for --service-account-issuer flag. #31237
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
k8s-ci-robot
added
the
size/XS
k8s-ci-robot
added
language/en
|
✔️ Deploy Preview for kubernetes-io-main-staging ready! 🔨 Explore the source changes: ff133ee 🔍 Inspect the deploy log: https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/61f8d2145fe9b2000717d818 😎 Browse the preview: https://deploy-preview-31237--kubernetes-io-main-staging.netlify.app |
|
Hi @Shubham82, please sign the CLA for the PR to be reviewed |
| To enable non-disruptive change of issuer we can specify `--service-account-issuer` flag multiple times to `kube-apiserver` for k8s v1.22 and later versions. | ||
|
|
||
| {{< /note >}} |
There was a problem hiding this comment.
| To enable non-disruptive change of issuer we can specify `--service-account-issuer` flag multiple times to `kube-apiserver` for k8s v1.22 and later versions. | |
| {{< /note >}} | |
| {{< /note >}} | |
| You can specify the `--service-account-issuer` argument multiple times. This can be useful to | |
| enable a non-disruptive change of the key for an issuer. | |
| You must be running running Kubernetes v1.22 or later to be able to specify | |
| `--service-account-issuer` multiple times`. |
Is that true? How does that work if there are two different keys / signing keys?
There was a problem hiding this comment.
Hi @sftim
I have Addressed the comment, please take a look.
Thanks
| You can specify the `--service-account-issuer` argument multiple times. This can be useful to | ||
| enable a non-disruptive change of the key for an issuer. | ||
| You must be running running Kubernetes v1.22 or later to be able to specify | ||
| `--service-account-issuer` multiple times. |
There was a problem hiding this comment.
This isn't wrong but it's also not at all clear (to a reader) what the deal is about specifying the other arguments such as --service-account-key-file multiple times.
Readers have to go and look at https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ to work it out.
It would be nice to save them some of that effort.
There was a problem hiding this comment.
Hi @sftim, can we write like this so that Readers have some info regarding these flags? Please take a look and let me know your thoughts on this. if it seems good then I will add this.
`--service-account-issuer` can use for the Identifier of the service account token issuer. The issuer will assert this identifier in the "iss" claim of issued tokens. This value must be a string or URI.
You can specify specified `--service-account-key-file` flag multiple times with different files, It must be specified when
`--service-account-signing-key` is provided. This File contains PEM-encoded x509 RSA or ECDSA private or public keys which are used to verify ServiceAccount tokens. No need for k8s version v1.22 or greater, it also works in the lower version of k8s v1.22.
You can use `--service-account-signing-key-file` flag for the path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key.
You can use `--api-audiences ` flag for Identifiers of the API. We can specify multiple audiences for whom the token is used. You can omit it also if not specified then it defaults to a single element list containing the issuer URL.
For more information please see various flags used in [kube-apiserver](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/).
There was a problem hiding this comment.
The behavior when the flags are specified times should be described. If service-account-key-file or api-audiences is specified multiple times, tokens signed by any of the specified keys or for any of the specified audiences are considered valid by the Kubernetes API server.
There was a problem hiding this comment.
Hi @liggitt Thanks for looking at this.
The behavior when the flags are specified times should be described. If
service-account-key-fileorapi-audiencesis specified multiple times, tokens signed by any of the specified keys or for any of the specified audiences are considered valid by the Kubernetes API server.
Sure, I will add this thing to it.
There was a problem hiding this comment.
Hi, @liggitt @sftim I modified it acc. to the suggestion. we can append these lines to the commit. Please take a look at this one, and let me know any kind of changes or modifications you want.
`--service-account-issuer` can use for the Identifier of the service account token issuer. The issuer will assert this identifier in the "iss" claim of issued tokens. This value must be a string or URI. If `service-account-issuer` is specified multiple times, tokens issued by any of the specified issuers are considered valid by the Kubernetes API server.
You can specify specified `--service-account-key-file` flag multiple times with different files, It must be specified when
`--service-account-signing-key` is provided. This File contains PEM-encoded x509 RSA or ECDSA private or public keys which are used to verify ServiceAccount tokens. No need for k8s version v1.22 or greater, it also works in the lower version of k8s v1.22. If `service-account-key-file` is specified multiple times, tokens signed by any of the specified keys are considered valid by the Kubernetes API server.
You can use `--service-account-signing-key-file` flag for the path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key.
You can use `--api-audiences ` flag for Identifiers of the API. We can specify multiple audiences for whom the token is used. You can omit it also if not specified then it defaults to a single element list containing the issuer URL. If `api-audiences` is specified multiple times, tokens for any of the specified audiences are considered valid by the Kubernetes API server.
For more information please see various flags used in [kube-apiserver](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/).
Thanks.
There was a problem hiding this comment.
Hi @sftim @liggitt
Could you please take a look? and let me know your thoughts on this.
Hi, @liggitt @sftim I modified it acc. to the suggestion. we can append these lines to the commit. Please take a look at this one, and let me know any kind of changes or modifications you want.
`--service-account-issuer` can use for the Identifier of the service account token issuer. The issuer will assert this identifier in the "iss" claim of issued tokens. This value must be a string or URI. If `service-account-issuer` is specified multiple times, tokens issued by any of the specified issuers are considered valid by the Kubernetes API server. You can specify specified `--service-account-key-file` flag multiple times with different files, It must be specified when `--service-account-signing-key` is provided. This File contains PEM-encoded x509 RSA or ECDSA private or public keys which are used to verify ServiceAccount tokens. No need for k8s version v1.22 or greater, it also works in the lower version of k8s v1.22. If `service-account-key-file` is specified multiple times, tokens signed by any of the specified keys are considered valid by the Kubernetes API server. You can use `--service-account-signing-key-file` flag for the path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key. You can use `--api-audiences ` flag for Identifiers of the API. We can specify multiple audiences for whom the token is used. You can omit it also if not specified then it defaults to a single element list containing the issuer URL. If `api-audiences` is specified multiple times, tokens for any of the specified audiences are considered valid by the Kubernetes API server. For more information please see various flags used in [kube-apiserver](https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/).Thanks.
|
/sig auth |
k8s-ci-robot
added
the
sig/auth
| You can specify the `--service-account-issuer` argument multiple times. This can be useful to | ||
| enable a non-disruptive change of the key for an issuer. | ||
| You must be running running Kubernetes v1.22 or later to be able to specify | ||
| `--service-account-issuer` multiple times. |
There was a problem hiding this comment.
I'd suggest something like this:
You can specify the `--service-account-issuer` argument multiple times.
This can be useful to enable a non-disruptive change of the issuer.
The first issuer specified is used when signing new tokens,
and all of the specified issuers are accepted when validating tokens presented to the API server.
You must be running running Kubernetes v1.22 or later to be able to specify
`--service-account-issuer` multiple times.
There was a problem hiding this comment.
Thanks, @liggitt for looking at this.
this sounds good +1
I'd suggest something like this:
You can specify the `--service-account-issuer` argument multiple times. This can be useful to enable a non-disruptive change of the issuer. The first issuer specified is used when signing new tokens, and all of the specified issuers are accepted when validating tokens presented to the API server. You must be running running Kubernetes v1.22 or later to be able to specify `--service-account-issuer` multiple times.
But this is only for --service-account-issuer flag, should I mention about others flag or go with only --service-account-issuer flag.
There was a problem hiding this comment.
We can copy in the CLI flag doc if that's helpful:
--service-account-key-file:
- File containing PEM-encoded x509 RSA or ECDSA private or public keys, used to verify ServiceAccount tokens. The specified file can contain multiple keys, and the flag can be specified multiple times with different files.
--service-account-issuer:
- When this flag is specified multiple times, the first is used to generate tokens and all are used to determine which issuers are accepted. You must be running running Kubernetes v1.22 or later to be able to specify
--service-account-issuermultiple times.
--api-audiences:
- The service account token authenticator will validate that tokens used against the API are bound to at least one of these audiences.
|
content lgtm, will defer to docs reviewer on formatting |
| * `--service-account-signing-key-file` | ||
|
|
||
| Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key. |
There was a problem hiding this comment.
| Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key. | |
| Path to the file that contains the current private key of the service account token issuer. The issuer signs issued ID tokens with this private key. |
| * `--api-audiences` (can be omitted) | ||
|
|
||
| The service account token authenticator will validate that tokens used against the API are bound to at least one of these audiences. If `api-audiences` is specified multiple times, tokens for any of the specified audiences are considered valid by the Kubernetes API server. If the `--service-account-issuer` flag is configured and this flag is not, this field defaults to a single element list containing the issuer URL. |
There was a problem hiding this comment.
| The service account token authenticator will validate that tokens used against the API are bound to at least one of these audiences. If `api-audiences` is specified multiple times, tokens for any of the specified audiences are considered valid by the Kubernetes API server. If the `--service-account-issuer` flag is configured and this flag is not, this field defaults to a single element list containing the issuer URL. | |
| The service account token authenticator validates that tokens used against the API are bound to at least one of these audiences. If `api-audiences` is specified multiple times, tokens for any of the specified audiences are considered valid by the Kubernetes API server. If the `--service-account-issuer` flag is configured and this flag is not, this field defaults to a single element list containing the issuer URL. |
There was a problem hiding this comment.
Thanks, @jimangel for taking a look at this.
I will modify it soon.
There was a problem hiding this comment.
Hi, @jimangel
I have Addressed the comment. Please take a look!
|
/label tide/merge-method-squash LGTM also from #31237 (comment) |
k8s-ci-robot
added
the
tide/merge-method-squash
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 25d6792263ea361b1eb69cb04b3590bba109c5e6
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sftim The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
This PR adds more information for --service-account-issuer flag under Service Account Token Volume Projection in Configure Service Accounts for Pods task.
Fixes: #31235