Projected service account tokens for Kubelet image credential providers

[aramase]

Enhancement Description

• One-line enhancement description (can be used as a release note): Projected service account tokens for authenticated image pulls via kubelet image credential providers
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4412-projected-service-account-tokens-for-kubelet-image-credential-providers/README.md
• Discussion Link:
• Primary contact (assignee): @aramase @enj @mainred
• Responsible SIGs: sig-auth, sig-node
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): v1.33
  • Beta release target (x.y): v1.34
  • Stable release target (x.y):
• Alpha
  • KEP (k/enhancements) update PR(s):
    • KEP-4412: Projected Service Account Tokens for Kubelet Image Credential Providers #4846
    • KEP-4412: update alpha and latest milestone to v1.33 #4996
  • Code (k/k) update PR(s):
    • credential provider config: detect typos kubernetes#128062
    • Enforce service account node audience restriction kubernetes#128077
    • KSA token for Kubelet image credential providers alpha kubernetes#128372
    • Fix service account node audience restriction for in-tree pv to csi migration kubernetes#129993
    • credential provider config: validate duplicate names early and preserve provider order kubernetes#129669
    • Enable ServiceAccountNodeAudienceRestriction feature gate by default in v1.33 kubernetes#130017
    • Enable dynamic configuration of service account names and audiences for token requests in node audience restriction kubernetes#130485
    • Define type alias for getServiceAccount function kubernetes#130749
    • Add unit tests for credential provider in service account mode kubernetes#130763
  • Docs (k/website) update PR(s):
    • Add docs for PSAT for Kubelet Image Credential Providers alpha website#49884
    • Add blog post for PSAT for Kubelet Image Credential Providers website#49924
• Beta
  • KEP (k/enhancements) update PR(s):
    • KEP-4412: promote wi for image pulls to beta in v1.34 #5374
  • Code (k/k) update PR(s):
    • Add ServiceAccountTokenCacheType support to credential provider plugin kubernetes#132617
    • Make kubelet token cache UID-aware to prevent stale tokens after service account recreation kubernetes#132803
    • Enable image pull credential verification with service account–based credential providers kubernetes#132771
    • Add kubelet_credential_provider_config_info metric kubernetes#133016
    • Mark KubeletServiceAccountTokenForCredentialProviders feature gate as beta kubernetes#133017
  • Docs (k/website) update(s):
    • Add docs for PSAT for Kubelet Image Credential Providers beta website#51382

[aramase]

/sig auth

[salehsedghpour]

Hello @aramase and @enj 👋, Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 9th February 2024.

This enhancement is targeting for stage alpha for v1.30 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.30.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

For this KEP, we would just need to update the following:

• This enhancement seems to be fresh and thus I was not able to find any information about it in the PRs in k/enhancements. Please make sure to have a merged PR before Enhancements Freeze.

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[enj]

cc @mikebrow @SergeyKanzhelev @ndixita @ruiwen-zhao @harche @haircommander

Will have an KEP open for this soon.