-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TokenRequest API and Kubelet integration #542
Comments
Should we add the use of the token request API to this bug as well? Specifically, consuming those tokens and allowing the service account token injector to be specialized? |
@smarterclayton added that to this feature. |
@mikedanese this item is listed on the feature tracking spreadsheet for 1.10 as needing docs. Does it in fact need them? If not, could you please update here? If so, could you please get a docs PR in against the 1.10 branch of the k8s/website repo asap? Thanks! |
@mikedanese @smarterclayton docs update please? We need to get docs PRs merged by this Friday (March 9). Thanks! |
I added a comment. No docs needed. |
@mikedanese If so, can you please ensure the feature is up-to-date with the appropriate:
cc @idvoretskyi |
@mikedanese please fill out the appropriate line item of the |
@mikedanese -- We're doing one more sweep of the 1.11 Features tracking spreadsheet. |
@mikedanese This feature was worked on in the previous milestone, so we'd like to check in and see if there are any plans for this to graduate stages in Kubernetes 1.12. If there are any updates, please explicitly ping @justaugustus, @kacole2, @robertsandoval, @rajendar38 to note that it is ready to be included in the Features Tracking Spreadsheet for Kubernetes 1.12. Please note that the Features Freeze is July 31st, after which any incomplete Feature issues will require an Exception request to be accepted into the milestone.In addition, please be aware of the following relevant deadlines:
Please make sure all PRs for features have relevant release notes included as well. Happy shipping! |
This is going to beta in 1.12 |
Thanks for the update. I've added this to the 1.12 tracking sheet. |
Hey there! @mikedanese I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it? |
@mikedanese -- |
Hello @zshihang 👋, 1.22 Docs release lead here. This enhancement is marked as ‘Needs Docs’ for 1.22 release. Please follow the steps detailed in the documentation to open a PR against dev-1.22 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Fri July 9, 11:59 PM PDT. Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release. p.s.: please remember to update the feature gates table for |
Hi @zshihang, With kubernetes/kubernetes#101992 merged, we will mark this as code complete for the 1.22 release 🎉 |
Heya @zshihang, please see my comment above regarding the docs placeholder PR, deadline is approaching, |
Hi @zshihang, |
Kubernetes version 1.21 graduated BoundServiceAccountTokenVolume feature to beta and enabled it by default. This feature improves security of service account tokens by requiring a one hour expiry time, over the previous default of no expiration. This means that applications that do not refetch service account tokens periodically will receive an HTTP 401 unauthorized error response on requests to Kubernetes API server with expired tokens kubernetes/enhancements#542 This commit forces kube-schedule-scaler to refresh token every minute, and acts as workaround at least until pykube-ng implements automatic token renewal.
Periodically refresh ServiceAccount tokens. This is required to avoid authentication errors when time-bound tokens [1] are rotated, and the initially-read token expires. Time bound tokens are beta in Kubernetes 1.21, and GA in 1.22 [2]. [1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens [2]: kubernetes/enhancements#542
Periodically refresh ServiceAccount tokens. This is required to avoid authentication errors when time-bound tokens [1] are rotated, and the initially-read token expires. Time bound tokens are beta in Kubernetes 1.21, and GA in 1.22 [2]. [1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens [2]: kubernetes/enhancements#542
Periodically refresh ServiceAccount tokens. This is required to avoid authentication errors when time-bound tokens [1] are rotated, and the initially-read token expires. Time bound tokens are beta in Kubernetes 1.21, and GA in 1.22 [2]. [1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens [2]: kubernetes/enhancements#542
Periodically refresh ServiceAccount tokens. This is required to avoid authentication errors when time-bound tokens [1] are rotated, and the initially-read token expires. Time bound tokens are beta in Kubernetes 1.21, and GA in 1.22 [2]. [1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens [2]: kubernetes/enhancements#542
Improved service account tokens
The text was updated successfully, but these errors were encountered: