Skip to content

KEP-4412: Projected Service Account Tokens for Kubelet Image Credential Providers #4846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 9, 2024
Merged

KEP-4412: Projected Service Account Tokens for Kubelet Image Credential Providers #4846

merged 1 commit into from
Oct 9, 2024
+1,211 −0

Conversation

@aramase
Copy link
Member

@aramase aramase commented Sep 12, 2024

  • One-line PR description: Add Projected Service Account Tokens for Kubelet Image Credential Providers alpha KEP

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Sep 12, 2024
@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Sep 12, 2024
@aramase aramase mentioned this pull request Sep 12, 2024
Open
28 tasks
@aramase aramase force-pushed the aramase/f/kep_4412_alpha branch 2 times, most recently from 335b23c to 65a5019 Compare September 12, 2024 06:39
liggitt
liggitt reviewed Sep 12, 2024
View reviewed changes
@stlaz stlaz mentioned this pull request Sep 13, 2024
Merged
@aramase aramase force-pushed the aramase/f/kep_4412_alpha branch 2 times, most recently from 581f7e2 to 049905b Compare September 30, 2024 07:50
@aramase
Copy link
Member Author

aramase commented Sep 30, 2024

/cc @enj

@k8s-ci-robot k8s-ci-robot requested a review from enj September 30, 2024 07:52
@aramase
Copy link
Member Author

aramase commented Sep 30, 2024

cc @mikebrow @SergeyKanzhelev @ndixita @ruiwen-zhao @harche @haircommander

as per #4412 (comment). PTAL!

@aramase aramase force-pushed the aramase/f/kep_4412_alpha branch from 049905b to fd08023 Compare September 30, 2024 07:54
stlaz
stlaz reviewed Oct 1, 2024
View reviewed changes
@aramase aramase force-pushed the aramase/f/kep_4412_alpha branch from 19842b8 to 2c0f66f Compare October 2, 2024 16:13
@aramase aramase force-pushed the aramase/f/kep_4412_alpha branch from 2c0f66f to 1eb7a85 Compare October 3, 2024 14:42
@aramase
Copy link
Member Author

aramase commented Oct 3, 2024

/assign @deads2k
for PRR review

/assign enj liggitt haircommander

@aramase aramase force-pushed the aramase/f/kep_4412_alpha branch from 1eb7a85 to c44af73 Compare October 3, 2024 16:48
enj
enj requested changes Oct 3, 2024
View reviewed changes
Copy link
Member

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

First pass.

@aramase aramase force-pushed the aramase/f/kep_4412_alpha branch from 72d5fe0 to 49094d3 Compare October 4, 2024 20:13
SergeyKanzhelev
SergeyKanzhelev reviewed Oct 4, 2024
View reviewed changes
...-auth/4412-projected-service-account-tokens-for-kubelet-image-credential-providers/README.md
We will expand the on-disk kubelet credential provider configuration to allow an
optional `tokenAttribute` field to be configured. When this field is not set, no KSA
token will be sent to the plugin. When it is set, the Kubelet will provision
a token with the given audience bound to the current pod and its service
Copy link
Member

@SergeyKanzhelev SergeyKanzhelev Oct 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will the token be time-bound? If so - how long?

Copy link
Member

@SergeyKanzhelev SergeyKanzhelev Oct 4, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will it work nicely with things like stargz snapshotter where secret can be stored for a long time like: https://github.com/containerd/stargz-snapshotter/blob/main/docs/overview.md#cri-based-authentication?

cc: @samuelkarp

Copy link
Member Author

@aramase aramase Oct 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will the token be time-bound? If so - how long?

Yes, the token will be time-bound. The duration will be fixed at 1h (?). If the cloud provider associates this token duration to the credential lifetime, we don't want it to be too short-lived. 1h seems reasonable to cover those scenarios to prevent frequent calls to cloud provider for token exchange.

Copy link
Member Author

@aramase aramase Oct 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will it work nicely with things like stargz snapshotter where secret can be stored for a long time like: https://github.com/containerd/stargz-snapshotter/blob/main/docs/overview.md#cri-based-authentication?

IIUC, the stargz snapshotter in CRI-based authentication gets the same registry credentials as the CRI from kubelet, so that wouldn't change here? The credentials could now be short-lived if the lifetime is tied to the KSA token lifetime but otherwise should work the same way. Please correct me if I'm wrong.

Copy link
Member

@SergeyKanzhelev SergeyKanzhelev Oct 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

stargz is not downloading the whole image in one go. So it may keep streaming pieces after 1h. So it will end up with the stale credentials

Copy link
Member Author

@aramase aramase Oct 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

stargz is not downloading the whole image in one go. So it may keep streaming pieces after 1h. So it will end up with the stale credentials

The credential provider plugin gets the PSAT and exchanges that for a registry credential. The registry credential is the one that stargz uses and it's not the PSAT right?

Copy link
Contributor

@haircommander haircommander Oct 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

correct. I think this can be compared to current behavior without specific PSAT: if a node wide credential expires while the image is being pulled with stargz, what does the runtime do? I'd expect the same here.

Copy link
Member

@SergeyKanzhelev SergeyKanzhelev Oct 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, ok. So we are not giving time limited token to runtime. If this is the case, it will work

Copy link
Member

@SergeyKanzhelev SergeyKanzhelev Oct 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wonder if there is any test we can write that will validate that and ensure we are not breaking this scenario?

Copy link
Member Author

@aramase aramase Oct 14, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The tests in kubelet credential provider wouldn't validate this because it fetches the registry credentials and passes it to CRI (no change in behavior).

Tests in stargz would be good to confirm it works as expected when the registry credentials expire/it updates its cache when the credentials for the image change.
@SergeyKanzhelev do you know who can confirm if there are tests for this in stargz?

@aramase aramase force-pushed the aramase/f/kep_4412_alpha branch from 49094d3 to 9a88044 Compare October 7, 2024 14:52
@aramase aramase requested review from SergeyKanzhelev and enj October 7, 2024 14:53
deads2k
deads2k requested changes Oct 7, 2024
View reviewed changes
Copy link
Contributor

@deads2k deads2k left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some updates for beta criteria and PRR please.

@aramase aramase force-pushed the aramase/f/kep_4412_alpha branch 2 times, most recently from 6416856 to b124de2 Compare October 8, 2024 01:51
@aramase aramase requested a review from deads2k October 8, 2024 01:52
enj
enj requested changes Oct 8, 2024
View reviewed changes
Copy link
Member

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks inverted?

@aramase aramase force-pushed the aramase/f/kep_4412_alpha branch from 15baea4 to 9b15829 Compare October 8, 2024 19:27
@aramase aramase requested review from deads2k and enj October 8, 2024 21:49
@aramase aramase force-pushed the aramase/f/kep_4412_alpha branch from 9c027e3 to 6a0f049 Compare October 8, 2024 22:07
@deads2k
Copy link
Contributor

deads2k commented Oct 9, 2024

PRR lgtm. KEP also lgtm, but I'll leave lgtm to @enj and whoever is looking from node.

/approve

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 9, 2024
enj
enj requested changes Oct 9, 2024
View reviewed changes
Copy link
Member

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo

@aramase
Add KEP-4412: Projected Service Account Tokens for Kubelet Image Cred…
57865a0 
…ential Providers

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
@aramase aramase force-pushed the aramase/f/kep_4412_alpha branch from 6a0f049 to 57865a0 Compare October 9, 2024 19:49
@enj
Copy link
Member

enj commented Oct 9, 2024

SIG node LGTM: #4846 (comment)

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 9, 2024
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Oct 9, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aramase, deads2k, enj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit 3e3a2a0 into kubernetes:master Oct 9, 2024
4 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.32 milestone Oct 9, 2024
@aramase aramase deleted the aramase/f/kep_4412_alpha branch October 9, 2024 19:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liggitt liggitt liggitt left review comments

@haircommander haircommander haircommander left review comments

@enj enj enj requested changes

@ritazh ritazh Awaiting requested review from ritazh

@SergeyKanzhelev SergeyKanzhelev Awaiting requested review from SergeyKanzhelev

@deads2k deads2k Awaiting requested review from deads2k

+2 more reviewers

@stlaz stlaz stlaz left review comments

@ahmedtd ahmedtd ahmedtd left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@liggitt liggitt

@enj enj

@deads2k deads2k

@haircommander haircommander

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.

Projects

SIG Auth
Archived in project

Milestone

v1.32

Development

Successfully merging this pull request may close these issues.

9 participants

@aramase @haircommander @deads2k @enj @k8s-ci-robot @stlaz @liggitt @ahmedtd @SergeyKanzhelev