Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TokenRequest API and Kubelet integration #542

Closed
mikedanese opened this issue Jan 18, 2018 · 72 comments · Fixed by kubernetes/kubernetes#101992
Closed

TokenRequest API and Kubelet integration #542

mikedanese opened this issue Jan 18, 2018 · 72 comments · Fixed by kubernetes/kubernetes#101992
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/storage Categorizes an issue or PR as relevant to SIG Storage. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Milestone

Comments

@mikedanese
Copy link
Member

mikedanese commented Jan 18, 2018

Improved service account tokens

@mikedanese mikedanese added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jan 18, 2018
@mikedanese mikedanese self-assigned this Jan 18, 2018
@mikedanese mikedanese added this to the v1.10 milestone Jan 18, 2018
@mikedanese mikedanese added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 18, 2018
@idvoretskyi idvoretskyi added the stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status label Jan 22, 2018
@smarterclayton
Copy link
Contributor

Should we add the use of the token request API to this bug as well? Specifically, consuming those tokens and allowing the service account token injector to be specialized?

@mikedanese mikedanese changed the title TokenRequest API TokenRequest API and Kubelet integration Jan 25, 2018
@mikedanese
Copy link
Member Author

@smarterclayton added that to this feature.

@idvoretskyi idvoretskyi added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Jan 29, 2018
@Bradamant3
Copy link
Contributor

@mikedanese this item is listed on the feature tracking spreadsheet for 1.10 as needing docs. Does it in fact need them? If not, could you please update here? If so, could you please get a docs PR in against the 1.10 branch of the k8s/website repo asap? Thanks!

@Bradamant3
Copy link
Contributor

@mikedanese @smarterclayton docs update please? We need to get docs PRs merged by this Friday (March 9). Thanks!
/cc @idvoretskyi

@mikedanese
Copy link
Member Author

I added a comment. No docs needed.

@justaugustus
Copy link
Member

@mikedanese
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

@mdlinville
Copy link

@mikedanese please fill out the appropriate line item of the
1.11 feature tracking spreadsheet
and open a placeholder docs PR against the
release-1.11 branch
by 5/25/2018 (tomorrow as I write this) if new docs or docs changes are
needed and a relevant PR has not yet been opened.

@justaugustus
Copy link
Member

@mikedanese -- We're doing one more sweep of the 1.11 Features tracking spreadsheet.
Would you mind filling in any incomplete / blank fields for this feature's line item?

@justaugustus justaugustus removed the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Jul 18, 2018
@kacole2
Copy link

kacole2 commented Jul 23, 2018

@mikedanese This feature was worked on in the previous milestone, so we'd like to check in and see if there are any plans for this to graduate stages in Kubernetes 1.12.

If there are any updates, please explicitly ping @justaugustus, @kacole2, @robertsandoval, @rajendar38 to note that it is ready to be included in the Features Tracking Spreadsheet for Kubernetes 1.12.


Please note that the Features Freeze is July 31st, after which any incomplete Feature issues will require an Exception request to be accepted into the milestone.

In addition, please be aware of the following relevant deadlines:

  • Docs deadline (open placeholder PRs): 8/21
  • Test case freeze: 8/28

Please make sure all PRs for features have relevant release notes included as well.

Happy shipping!

@justaugustus justaugustus removed this from the v1.11 milestone Jul 31, 2018
@mikedanese mikedanese added stage/beta Denotes an issue tracking an enhancement targeted for Beta status and removed stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status labels Jul 31, 2018
@mikedanese mikedanese added this to the v1.12 milestone Jul 31, 2018
@mikedanese
Copy link
Member Author

This is going to beta in 1.12

@justaugustus
Copy link
Member

Thanks for the update. I've added this to the 1.12 tracking sheet.

cc: @kacole2 @wadadli @robertsandoval @rajendar38

@justaugustus justaugustus added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Aug 4, 2018
@zparnold
Copy link
Member

Hey there! @mikedanese I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it?

@justaugustus
Copy link
Member

@mikedanese --
Any update on docs status for this feature? Are we still planning to land it for 1.12?
At this point, code freeze is upon us, and docs are due on 9/7 (2 days).
If we don't here anything back regarding this feature ASAP, we'll need to remove it from the milestone.

cc: @zparnold @jimangel @tfogo

@PI-Victor
Copy link
Member

PI-Victor commented May 18, 2021

Hello @zshihang 👋, 1.22 Docs release lead here.

This enhancement is marked as ‘Needs Docs’ for 1.22 release.

Please follow the steps detailed in the documentation to open a PR against dev-1.22 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Fri July 9, 11:59 PM PDT.
 Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

p.s.: please remember to update the feature gates table for BoundServiceAccountTokenVolume graduation.

@reylejano
Copy link
Member

Hi @zshihang,

With kubernetes/kubernetes#101992 merged, we will mark this as code complete for the 1.22 release 🎉

@PI-Victor
Copy link
Member

Heya @zshihang, please see my comment above regarding the docs placeholder PR, deadline is approaching,
thank you!

@reylejano
Copy link
Member

reylejano commented Jun 23, 2021

Hi @zshihang,
We're just over 2 weeks away from code freeze (July 8, 2021). Other than kubernetes/kubernetes#101992 , are there any additional open or merged k/k PRs we should be tracking for the 1.22 release?
Thank you!

michelesr added a commit to citizensadvice/kube-schedule-scaler that referenced this issue May 18, 2022
Kubernetes version 1.21 graduated BoundServiceAccountTokenVolume feature
to beta and enabled it by default. This feature improves security of
service account tokens by requiring a one hour expiry time, over the
previous default of no expiration. This means that applications that do
not refetch service account tokens periodically will receive an HTTP 401
unauthorized error response on requests to Kubernetes API server with
expired tokens

kubernetes/enhancements#542

This commit forces kube-schedule-scaler to refresh token every minute,
and acts as workaround at least until pykube-ng implements automatic
token renewal.
JacobHenner added a commit to JacobHenner/kubernetes_asyncio that referenced this issue May 18, 2022
Periodically refresh ServiceAccount tokens. This is required to avoid
authentication errors when time-bound tokens [1] are rotated, and the
initially-read token expires. Time bound tokens are beta in Kubernetes
1.21, and GA in 1.22 [2].

[1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens
[2]: kubernetes/enhancements#542
JacobHenner added a commit to JacobHenner/kubernetes_asyncio that referenced this issue May 23, 2022
Periodically refresh ServiceAccount tokens. This is required to avoid
authentication errors when time-bound tokens [1] are rotated, and the
initially-read token expires. Time bound tokens are beta in Kubernetes
1.21, and GA in 1.22 [2].

[1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens
[2]: kubernetes/enhancements#542
tomplus pushed a commit to tomplus/kubernetes_asyncio that referenced this issue May 24, 2022
Periodically refresh ServiceAccount tokens. This is required to avoid
authentication errors when time-bound tokens [1] are rotated, and the
initially-read token expires. Time bound tokens are beta in Kubernetes
1.21, and GA in 1.22 [2].

[1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens
[2]: kubernetes/enhancements#542
tomplus pushed a commit to tomplus/kubernetes_asyncio that referenced this issue May 24, 2022
Periodically refresh ServiceAccount tokens. This is required to avoid
authentication errors when time-bound tokens [1] are rotated, and the
initially-read token expires. Time bound tokens are beta in Kubernetes
1.21, and GA in 1.22 [2].

[1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens
[2]: kubernetes/enhancements#542
@rhockenbury rhockenbury removed the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Sep 20, 2022
@enj enj moved this to Closed / Done in SIG Auth Dec 5, 2022
@enj enj added this to SIG Auth Dec 5, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/storage Categorizes an issue or PR as relevant to SIG Storage. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.