Document use of legacy Service Account token mechanism #32688
Comments
k8s-ci-robot
added
sig/auth
|
It's not enough to document just the feature gate, because folks who have this need won't want to iterate through every feature gate in the hope that they find one that helps fix the issue they face. |
|
the idea is to drive users to use manually created legacy tokens instead of auto-generated. #31845 |
|
Even though we are recommending a different approach, I'm still concerned that there will be insufficient documentation about how to retain the GA feature (and perhaps also about the implications of doing so). |
|
If we had documentation for the ServiceAccount concept (see #31847) then I'd be less concerned, because in the page about ServiceAccount we could mention the legacy mechanism and why it is deprecated. |
+1 adding more details /triage accepted |
k8s-ci-robot
added
triage/accepted
@zshihang can you please follow up on this so we can close this out for v1.24? |
|
This won't be in 1.24, clearing the milestone. This can be added to subsequent milestones if needed. |
|
/priority backlog Would be nice to have these docs, but if not then people can use the new recommended mechanism. |
k8s-ci-robot
added
the
priority/backlog
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
@shannonxtreme Please make sure this issue is also addressed in #31847 |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
k8s-ci-robot
added
lifecycle/rotten
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close not-planned |
|
@k8s-triage-robot: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Should this be reopened? |
I don't think this work is super important. Feel free to explain why it is a higher priority @timoreimann |
|
@sftim I was looking for documentation around the three feature gates related to legacy token behavior, and all I could find was the description in the KEP. That seemed insufficient to me because (1) it is more difficult to discover and (2) it is never ultimately clear if the KEP description is still up-to-date or whether it might have been superseded by follow-up work / considerations already. Please do let me know if you think I missed something. |
|
/reopen PRs are welcome. |
|
@sftim: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
removed
the
lifecycle/rotten
github-project-automation
bot
moved this from Closed / Done
to Needs Triage
in SIG Auth
|
@zshihang could you PTAL? |
|
this is no way to opt back in auto generation of legacy service account token after the GA of LegacyServiceAccountNoAutoGeneration feature. to manually create legacy tokens, refer to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-an-api-token-for-a-serviceaccount |
If you're saying that one day Kubernetes won't let you use the legacy mechanism, that's true. But whilst you can, we should explain how. |
|
the ask in the issue is
LegacyServiceAccountNoAutoGeneration (no legacy service account autogeneration) is already GA'ed in v1.26 so there is no way to opt back in after v1.26 (that's why the feature gate is gone in v1.28/v1.29). however, we still can create legacy service account token manually and the doc is here https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#create-token. |
|
OK, this is no longer needed and it's stale enough that it's not worth doing for the older releases. /close not-planned |
|
@sftim: Closing this issue, marking it as "Not Planned". In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This is a Feature Request
What would you like to be added
Document how to opt back in to legacy ServiceAccount token autogeneration.
Why is this needed
https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2799-reduction-of-secret-based-service-account-token describes how we're switching to a new mechanism for ServiceAccount tokens.
If you find that you rely on the stable, Secret-based method for ServiceAccount authentication, you need to disable a feature gate. We should document this; at the moment, those docs are not done for the v1.24 branch.
Comments
/language en
/sig auth
/milestone 1.24
For context, see kubernetes/enhancements#2799
The text was updated successfully, but these errors were encountered: