New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSDOCS-4272: Updating for service account issuer behavior change #51791
Conversation
Note: this PR is probably going to need to be cherry picked carefully - so that it makes it to 4.9/4.10/4.11 at the same time that the code change makes it in to the applicable z-stream |
🤖 Updated build preview is available at: Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/2616 |
@mfojtik @stlaz Here's the PR at least for the part, updating this procedure to say the old issuer is valid for 24 hours, and removing the steps to manually restart pods. Let me know:
|
==== | ||
If you update the `serviceAccountIssuer` field and there are bound tokens already in use, all bound tokens with the previous issuer value will be invalidated. Unless the holder of a bound token has explicit support for a change in issuer, the holder will not request a new bound token until pods have been restarted. | ||
|
||
If necessary, you can manually restart all pods in the cluster so that the holder will request a new bound token. Before doing this, wait for a new revision of the Kubernetes API server pods to roll out with your service account issuer changes. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If necessary, you can manually restart all pods in the cluster so that the holder will request a new bound token. Before doing this, wait for a new revision of the Kubernetes API server pods to roll out with your service account issuer changes.
I would keep this section here to ensure we indicate that workloads that use bound tokens might need to restart to pick up a new bound token.
/cc @stlaz
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mfojtik I thought you had said that we didn't need the steps to manually restart all pods? Are you saying you want me to keep this statement in the note, and also bring back those steps in the procedure?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@bergerhoffer "if necessary" is the culprit here... we want to make sure that if somebody runs a workload that uses a bound token for something, that workload is aware the service account changed. If the workload is smart, it always reads it from the disk in a container (and it will be updated there)... if the workload is not smart, they read it into memory and it might need a restart to update.
with this sentence, I want to ensure that we cover the "not so-smart" workloads.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gotcha. Sentence + steps put back as requested :)
b074ea6
to
e1dc5db
Compare
e1dc5db
to
f9a56d3
Compare
/label peer-review-needed |
/remove-label peer-review-needed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @JoeAldinger! I believe this will be making the z-streams next week (4.11.11 and 4.10.39, not sure about 4.9 yet). But I will confirm for sure as soon as I know! |
@JoeAldinger @opayne1 Okay, these all look to be making it for next week, so:
So we'll need to cherry pick this PR to the appropriate version on the appropriate day. And also will need to add a blurb to each of the z-stream release notes (blurb is in this gdoc). I can check back in each of these days to make sure we're good, but let me know if there's anything else I can do. Thanks for your help with this! |
Thank you @bergerhoffer! We will keep you updated. |
f9a56d3
to
3f94d9c
Compare
/lgtm |
Since the first z-stream is releasing today, I am merging this and will set up each CP with the date and z-stream PR it needs to be merged with. |
/cherrypick enterprise-4.12 |
/cherrypick enterprise-4.11 |
/cherrypick enterprise-4.10 |
/cherrypick enterprise-4.9 |
@bergerhoffer: new pull request created: #52295 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@bergerhoffer: new pull request created: #52296 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@bergerhoffer: new pull request created: #52297 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@bergerhoffer: new pull request created: #52298 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Version(s):
4.9+
Issue:
https://issues.redhat.com/browse/OSDOCS-4272
Link to docs preview:
https://51791--docspreview.netlify.app/openshift-enterprise/latest/authentication/bound-service-account-tokens.html#bound-sa-tokens-configuring_bound-service-account-tokens
QE review:
Additional information: