Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch to TokenRequest API for ServiceAccount tokens #698

Open
olim7t opened this issue Sep 23, 2022 · 1 comment
Open

Switch to TokenRequest API for ServiceAccount tokens #698

olim7t opened this issue Sep 23, 2022 · 1 comment
Labels
enhancement New feature or request

Comments

@olim7t
Copy link
Contributor

olim7t commented Sep 23, 2022
edited by sync-by-unito bot
Loading

Currently we use a non-expiring token (at first auto-generated, and then explicitly declared when we moved to k8s 1.24 in #681).

The documentation recommends switching to TokenRequest instead:

Tokens obtained from the TokenRequest API are more secure than ones stored in Secret objects, because they have a bounded lifetime and are not readable by other API clients. You can use the kubectl create token command to obtain a token from the TokenRequest API.

You should only create a service account token Secret object if you can't use the TokenRequest API to obtain a token, and the security exposure of persisting a non-expiring token credential in a readable API object is acceptable to you.

We should investigate if and how that API can be used from our controller code.

┆Issue is synchronized with this Jira Story by Unito
┆Issue Number: K8OP-213
@olim7t olim7t added the enhancement New feature or request label Sep 23, 2022
@olim7t olim7t mentioned this issue Sep 23, 2022
Merged
5 tasks
@sync-by-unito sync-by-unito bot changed the title Switch to TokenRequest API for ServiceAccount tokens K8SSAND-1803 ⁃ Switch to TokenRequest API for ServiceAccount tokens Sep 23, 2022
@burmanm
Copy link
Contributor

burmanm commented Sep 26, 2022

1.22 minimum.

@adejanovski adejanovski moved this to To Groom in K8ssandra Nov 8, 2022
@sync-by-unito sync-by-unito bot changed the title K8SSAND-1803 ⁃ Switch to TokenRequest API for ServiceAccount tokens Switch to TokenRequest API for ServiceAccount tokens Oct 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
No open projects
K8ssandra
Status: No status
Milestone
No milestone
Development

No branches or pull requests
2 participants
@olim7t @burmanm