-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update doc for BoundServiceAccountTokenVolume and RootCAConfigMap #27082
Conversation
Deploy preview for kubernetes-io-vnext-staging processing. Building with commit 7a461e5 https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/605d7802ed26180008e31d8b |
/cc @liggitt |
/assign @PI-Victor |
/lgtm |
LGTM label has been added. Git tree hash: 1b0b87257e27a565cf80a302ed96cae38bdc1b54
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @zshihang
Thanks for this PR. We'd like some changes which I've detailed some in the review summary and some inline.
https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume also needs updating to revise:
This feature depends on the
RootCAConfigMap
feature gate enabled which publish a "kube-root-ca.crt" ConfigMap to every namespace.
@@ -60,7 +60,7 @@ It acts synchronously to modify pods as they are created or updated. When this p | |||
1. It adds a `volumeSource` to each container of the pod mounted at `/var/run/secrets/kubernetes.io/serviceaccount`. | |||
|
|||
#### Bound Service Account Token Volume | |||
{{< feature-state for_k8s_version="v1.13" state="alpha" >}} | |||
{{< feature-state for_k8s_version="v1.21" state="beta" >}} | |||
|
|||
When the `BoundServiceAccountTokenVolume` feature gate is enabled, the service account admission controller will |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're a bit more strict about beta docs, so I recommend:
When the `BoundServiceAccountTokenVolume` feature gate is enabled, the service account admission controller will | |
When the `BoundServiceAccountTokenVolume` [feature gate](/docs/reference/command-line-tools-reference/feature-gates/) | |
is enabled, the service account admission controller will |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
| `RootCAConfigMap` | `false` | Alpha | 1.13 | 1.19 | | ||
| `RootCAConfigMap` | `true` | Beta | 1.20 | 1.20 | | ||
| `RootCAConfigMap` | `true` | GA | 1.21 | - | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remember to remove this feature gate from the previous table (it's not yet automated, sorry).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Because this does need a couple of updates, I'll note the tech review from SIG Auth (thanks @liggitt) but |
Hi @zshihang , thank you for having your Doc PR ready for review, friendly reminder about the upcoming doc related dates for the 1.21 release:
|
| `RemoveSelfLink` | `false` | Alpha | 1.16 | 1.19 | | ||
| `RemoveSelfLink` | `true` | Beta | 1.20 | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is RemoveSelfLink removed here? The PR description does not explain this amendment.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oops, done
We have got tech LGTM with doc review feedbacks addressed. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tengqm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
LGTM label has been added. Git tree hash: a7653be7e469c2273945e261715f1c51c4d27709
|
update feature status for BoundServiceAccountTokenVolume and RootCAConfigMap
KEP: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md
PR:
Issue: kubernetes/enhancements#542