design: improved service account token volumes #1973
Conversation
k8s-ci-robot
added
sig/auth
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
the
kind/design
| // Audiences are the intendend audiences of the token. | ||
| Audiences []string | ||
| // ExpirationSeconds is the requested duration of validity of the service | ||
| // account token |
There was a problem hiding this comment.
Comment about what default value means
| traffic. However it doesn't solve the per-namespace replicated CA data which | ||
| needs to be stored in ETCD. | ||
|
|
||
| To fix that issue we can implement a PublicConfigMapProjection that exactly |
There was a problem hiding this comment.
Another option: extend config map source to perform an authorization check on the service accounts behalf to fetch a cross namespace config map. That removes the need for a special config map source and makes users who have this use case happier.
Authorization is two checks - node authorizer for the reference, and a corresponding acl check as the service account or the node (arguably I should be able to grant my service account permission to fetch something and let the node fetch it)
There was a problem hiding this comment.
The node authorizer can do that check on the behalf of the service account:
- If referenced
- And if service account has access if outside of namespace
There was a problem hiding this comment.
Authorization referring to secrets is tracked in kubernetes/kubernetes#4957
There was a problem hiding this comment.
That issue is about to be closed due to inactivity.
There was a problem hiding this comment.
Jordan proved to me my idea wouldn't work because the node authorizer doesn't know the who. I think his argument was to not put this in the API but make it be a kubelet detail. I think it's pretty reasonable for the short term not to introduce a new API here but instead make it part of kube config.
There was a problem hiding this comment.
Although we still need a way to tie the ca info (the implicit service account data) to a pod that doesn't request the secret. The API on ServiceAccountToken is token path specific, but without the CA the token is pretty useless, and in-cluster config is broken.
There was a problem hiding this comment.
Would the admission controller automatically inject a public config map projection?
|
It would be great if the reviewers for the doc included some folks that weren't also listed as authors. The purpose of getting these things in PRs is to find independent review. |
jbeda
added
the
kind/api-change
| the caller is a particular pod to a Kubernetes API server. These tokens are | ||
| injected into pods as secrets. This proposal proposes a new mechanism of | ||
| distribution with support for [improved service account | ||
| tokens](https://github.com/kubernetes/community/pull/1460) and explores how to |
There was a problem hiding this comment.
A PR is not sufficient here. We should make sure that anything referenced by a design doc is checked in and agreed upon. We have to get out of the habit of not closing these things out. We need to be able to actually make decisions.
There was a problem hiding this comment.
I can prioritize closing that out. The outstanding question is here:
There was a problem hiding this comment.
If you want to use the KEP process (not required but might be nice -- hint hint) there is an idea of checking in stuff that is WIP and isolating the nut of disagreement to dedicated PRs. That helps to find the areas agreement and get them locked down incrementally.
| TokenRequest API. | ||
|
|
||
| ```go | ||
| type ServiceAccountTokenProjection struct { |
There was a problem hiding this comment.
I don't see the name of the service account here. Have you considered making it so that a Pod can use multiple SAs at the same time? I can see scenarios where, say, a set of microservices get merged into one service and the things these things are talking to other services with unique SAs. Having the new merged service be able to use the existing SAs would be nice.
There was a problem hiding this comment.
Nothing prevents you mounting one of their secrets today, so i think it's reasonable to extend that. I think it's a reasonable addition, but is also something that could be added later without impact (an optional field where the default is the pod's service account). Do you think a ton of people have this right now Joe? The only example I've seen has been prometheus which has a scraper token and a service account token - I would definitely use something like that there, but that's 1 out of several hundred apps I've seen people deploy, so i'd suspect its 5% case (a useful one). I don't think any of the other core services have come up with this use case yet.
There was a problem hiding this comment.
I also think that this may be more interesting as people start mapping to Cloud SAs. You may have one SA for talking within the cluster and another SA to talk to the cloud. Ideally these would be the same but it depends on how flexible the mappings are.
I'm just allergic to any 1:1 bindings for stuff like this. In my experience it almost always comes back to bite you. And if we don't have it in there earlier than folks will tend to work with what they have vs. come back and add something. However, I wouldn't lay down on the tracks if this didn't make it in the first version.
I think it is also worth calling out (perhaps in an example) that a pod can project the same SA multiple times with different audiences. Without making this clear people will naively just add more audiences and pass that token around. This kind of defeats the whole purpose of the audience field. In my mind having multiple audiences on a token is a bad smell and we shouldn't make that the easy/suggested/obvious case.
There was a problem hiding this comment.
This would add a lot of questions to the design (e.g. how do these extra service accounts interact with PodSecurityPolicy, ImagePullSecrets attached to the service account, etc...). As Clayton says, this functionality could be added backwards compatibly later and I would prefer to solve this with a holistic design for sub-pod isolation.
There was a problem hiding this comment.
I think it is also worth calling out (perhaps in an example) that a pod can project the same SA multiple times with different audiences. Without making this clear people will naively just add more audiences and pass that token around.
Good point.
|
I hope to get some sig-storage reviewers of this proposal after it's presented at the next sig meeting. |
|
|
||
| To fix that issue we can implement a PublicConfigMapProjection that exactly | ||
| copies the implementation of ConfigMapProjection but sources config from the | ||
| `kube-public` namespace. |
There was a problem hiding this comment.
I think that this is the first time that kube-public is being used as part of the core controllers. We introduced it as part of the kubeadm bootstrapping process but it was completely optional. Not sure if other stuff has shown up in there.
It is a little strange to make a namespace special like this. In fact, kube-system isn't all that special above and beyond convention (and RBAC defaults, I think?). Introducing a PublicConfigMapProjection is probably something that deserves its own design doc. I'd suggest something like listing the namespace and requiring that the target configmap be readable by anonymous. That would allow folks to use this in other contexts and avoid naming kube-public explicitly.
|
@kubernetes/sig-auth-proposals @kubernetes/sig-storage-proposals |
|
|
||
| A volume plugin implemented in the kubelet will project a service account token | ||
| sourced from the TokenReview API into volumes created from | ||
| ProjectedVolumeSources. As the token approaches expiration, the kubelet volume |
There was a problem hiding this comment.
Can you provide the struct for ProjectedVolumeSource for clarity?
mikedanese
force-pushed
the
sats
branch
2 times, most recently
from
7f1a329
to
ed59dd4
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: saad-ali The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
| traffic. However it doesn't solve the per-namespace replicated CA data which | ||
| needs to be stored in ETCD. | ||
|
|
||
| To fix that issue we can extend ConfigMapProjection to support cross namespace |
There was a problem hiding this comment.
@smarterclayton PTAL to this update
There was a problem hiding this comment.
options I see:
- per-namespace configmap (one per namespace, which is much better than one per serviceaccount token, but still requires controller maintenance and has etcd size and kubelet request issues)
- single cross-namespace configmap (opens pandora's box to cross-namespace references, access model is unclear)
- downward API for apiserver trust root (non-pod fields in downward API is a shift I'm unsure of, still requires the kubelet to get the data somehow, but avoids the source being part of the pod API)
- additional projection source for apiserver trust root (still requires the kubelet to get the data somehow, but avoids the source being part of the pod API)
1 seems ok as a starting point, I think I prefer 3 or 4 to making cross-namespace references part of the API. Can call out the possibilities here if you want, or defer that discussion to a phase 2
From storage point of view, this is just another AtomicWriter volume and it will behave the same as a Secret with one key, right? I don't see any issue here. |
sounds good. so projected can refresh single-file, it was subPath mounts that could not? |
|
Correct because subpath is bind mounted by the runtime, the symlink gets resolved and fixed. |
I agree that we can should separate the deprecation of the current behavior into a later proposal. I've pulled out the relevant pieces. |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
| ProjectedVolumeSources. As the token approaches expiration, the kubelet volume | ||
| plugin will proactively rotate the service account token. The kubelet will start | ||
| trying to rotate the token if the token is older than 80 percent of its time to | ||
| live or if the token is older than 24 hours. |
There was a problem hiding this comment.
This should be specified in the API (as a comment).
| Audience string | ||
| // ExpirationSeconds is the requested duration of validity of the service | ||
| // account token. Defaults to 1 hour. | ||
| ExpirationSeconds *int64 |
There was a problem hiding this comment.
I think this should define a minimum value. Something would surely break if with an expiration time of 1 second...
There was a problem hiding this comment.
This was addressed in #1973 (comment)
The minimum will be 10 minutes checked in validation. I'll add that to the comment.
| // Audience is the intended audience of the token. A recipient of a token | ||
| // must identify itself with an identifier specified in the audience of the | ||
| // token, and otherwise should reject the token. | ||
| Audience string |
There was a problem hiding this comment.
Is this required? If not, what is the default? Or what does it mean to have an empty audience?
There was a problem hiding this comment.
The default is the same as the token request API. The audience defaults to the identifier of the apiserver. Added a comment.
| // Audience is the intended audience of the token. A recipient of a token | ||
| // must identify itself with an identifier specified in the audience of the | ||
| // token, and otherwise should reject the token. | ||
| Audience string |
There was a problem hiding this comment.
Should this be a list, to match TokenRequest API?
There was a problem hiding this comment.
I had a conversation with @liggitt about this. We are opting for a single audience to encourage correct usage of the API. We discussed a few options and decided this was probably the best approach for now.
|
@tallclair PTAL |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
Automatic merge from submit-queue (batch tested with PRs 64364, 64369, 63819, 64528). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. add APIs for service account volume projection ref #58790 designed in kubernetes/community#1973 Release note will be included in the implementation. ```release-note NONE ```
Automatic merge from submit-queue (batch tested with PRs 64364, 64369, 63819, 64528). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. add APIs for service account volume projection ref kubernetes/kubernetes#58790 designed in kubernetes/community#1973 Release note will be included in the implementation. ```release-note NONE ``` Kubernetes-commit: 374992a6fb07fc808e9cd0ab81b729c39579bfbd
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. implement ServiceAccountTokenProjection design here: kubernetes/community#1973 part of #61858 ```release-note Add a volume projection that is able to project service account tokens. ``` part of #48408 @kubernetes/sig-auth-pr-reviews @kubernetes/sig-storage-pr-reviews
This adds docs for the service account projection feature. Xref: kubernetes/kubernetes#63819, kubernetes/community#1973 Closes: kubernetes#9102
This adds docs for the service account projection feature. Xref: kubernetes/kubernetes#63819, kubernetes/community#1973 Closes: #9102
This adds docs for the service account projection feature. Xref: kubernetes/kubernetes#63819, kubernetes/community#1973 Closes: #9102
This adds docs for the service account projection feature. Xref: kubernetes/kubernetes#63819, kubernetes/community#1973 Closes: #9102
* Seperate priority and preemption (#8144) * Doc about PID pressure condition. (#8211) * Doc about PID pressure condition. Signed-off-by: Da K. Ma <[email protected]> * "so" -> "too" * Update version selector for 1.11 * StorageObjectInUseProtection is GA (#8291) * Feature gate: StorageObjectInUseProtection is GA Update feature gate reference for 1.11 * Trivial commit to re-trigger Netlify * CRIContainerLogRotation is Beta in 1.11 (#8665) * Seperate priority and preemption (#8144) * CRIContainerLogRotation is Beta in 1.11 xref: kubernetes/kubernetes#64046 * Bring StorageObjectInUseProtection feature to GA (#8159) * StorageObjectInUseProtection is GA (#8291) * Feature gate: StorageObjectInUseProtection is GA Update feature gate reference for 1.11 * Trivial commit to re-trigger Netlify * Bring StorageObjectInUseProtection feature to GA StorageObjectInUseProtection is Beta in K8s 1.10. It's brought to GA in K8s 1.11. * Fixed typo and added feature state tags. * Remove KUBE_API_VERSIONS doc (#8292) The support to the KUBER_API_VERSIONS environment variable is completely dropped (no deprecation). This PR removes the related doc in release-1.11. xref: kubernetes/kubernetes#63165 * Remove InitialResources from admission controllers (#8293) The feature (was experimental) is dropped in 1.11. xref: kubernetes/kubernetes#58784 * Remove docs related to in-tree support to GPU (#8294) * Remove docs related to in-tree support to GPU The in-tree support to GPU is completely removed in release 1.11. This PR removes the related docs in release-1.11 branch. xref: kubernetes/kubernetes#61498 * Update content updated by PR to Hugo syntax Signed-off-by: Misty Stanley-Jones <[email protected]> * Update the doc about extra volume in kubeadm config (#8453) Signed-off-by: Xianglin Gao <[email protected]> * Update CRD Subresources for 1.11 (#8519) * coredns: update notes in administer-cluster/coredns.md (#8697) CoreDNS is installed by default in 1.11. Add notes on how to install kube-dns instead. Update notes about CoreDNS->CoreDNS upgrades as in 1.11 the Corefile is retained. Add example on upgrading from kube-dns to CoreDNS. * kubeadm-alpha: CoreDNS related changes (#8727) Update note about CoreDNS feature gate. This change also updates a tab as a kubeadm sub-command will change. It looks for a new generated file: generated/kubeadm_alpha_phase_addon_coredns.md instead of: generated/kubeadm_alpha_phase_addon_kube-dns.md * Update cloud controller manager docs to beta 1.11 (#8756) * Update cloud controller manager docs to beta 1.11 * Use Hugo shortcode for feature state * kubeadm-upgrade: include new command `kubeadm upgrade diff` (#8617) Also: - Include note that this was added in 1.11. - Modify the note about upgrade guidance. * independent: update CoreDNS mentions for kubeadm (#8753) Give CoreDNS instead of kube-dns examples in: - docs/setup/independent/create-cluster-kubeadm.md - docs/setup/independent/troubleshooting-kubeadm.md * update 1.11 --server-print info (#8870) * update 1.11 --server-print info * Copyedit * Mark ExpandPersistentVolumes feature to beta (#8778) * Update version selector for 1.11 * Mark ExpandPersistentVolumes Beta xref: kubernetes/kubernetes#64288 * fix shortcode, add placeholder files to fix deploy failures (#8874) * declare ipvs ga (#8850) * kubeadm: update info about CoreDNS in kubeadm-init.md (#8728) Add info to install kube-dns instead of CoreDNS, as CoreDNS is the default DNS server in 1.11. Add notes that kubeadm config images can be used to list and pull the required images in 1.11. * kubeadm: update implementation-details.md about CoreDNS (#8829) - Replace examples from kube-dns to CoreDNS - Add notes about the CoreDNS feature gate status in 1.11 - Add note that the service name for CoreDNS is also called `kube-dns` * Update block device support for 1.11 (#8895) * Update block device support for 1.11 * Copyedits * Fix typo 'fiber channel' (#8957) Signed-off-by: Misty Stanley-Jones <[email protected]> * kubeadm-upgrade: add the 'node [config]' sub-command (#8960) - Add includes for the generated pages - Include placeholder generated pages * kubeadm-init: update the example for the MasterConfiguration (#8958) - include godocs link for MasterConfiguration - include example MasterConfiguration - add note that `kubeadm config print-default` can be used * kubeadm-config: include new commands (#8862) Add notes and includes for these new commands in 1.11: - kubeadm config print-default - kubeadm config migrate - kubeadm config images list - kubeadm config images pull Include placeholder generated files for the above. * administer-cluster/coredns: include more changes (#8985) It was requested that for this page a couple of methods should be outlined: - manual installation for CoreDNS explained at the Kubernetes section of the GitHub project for CoreDNS - installation and upgrade via kubeadm Make the above changes and also add a section "About CoreDNS". This commit also lowercases a section title. * Update CRD subresources doc for 1.11 (#8918) * Add docs for volume expansion and online resizing (#8896) * Add docs for volume expansion going beta * Copyedit * Address feedback * Update exec plugin docs with TLS credentials (#8826) * Update exec plugin docs with TLS credentials kubernetes/kubernetes#61803 implements TLS client credential support for 1.11. * Copyedit * More copyedits for clarification * Additional copyedit * Change token->credential * NodeRestriction admission prevents kubelet taint removal (#8911) * dns-custom-namerserver: break down the page into mutliple sections (#8900) * dns-custom-namerserver: break down the page into mutliple sections This page is currently about kube-dns and is a bit outdated. Introduce the heading `# Customizing kube-dns`. Introduce a separate section about CoreDNS. * Copyedits, fix headings for customizing DNS Hey Lubomir, I coypedited pretty heavily because this workflow is so much easier for docs and because I'm trying to help improve everything touching kubeadm as much as possible. But there's one outstanding issue wrt headings and intro content: you can't add a heading 1 to a topic to do what you wanted to do. The page title in the front matter is rendered as a heading 1 and everything else has to start at heading 2. (We still need to doc this better in the docs contributing content, I know.) Instead, I think we need to rewrite the top-of-page intro content to explain better the relationship between kube-dns and CoreDNS. I'm happy to write something, but I thought I'd push this commit first so you can see what I'm doing. Hope it's all clear -- ping here or on Slack with any questions ~ Jennifer * Interim fix for talking about CoreDNS * Fix CoreDNS details * PSP readOnly hostPath (#8898) * Add documentation for crictl (#8880) * Add documentation for crictl * Copyedit Signed-off-by: Misty Stanley-Jones <[email protected]> * Final copyedit * VolumeSubpathEnvExpansion alpha feature (#8835) * Note that Heapster is deprecated (#8827) * Note that Heapster is deprecated This notes that Heapster is deprecated, and migrates the relevant docs to talk about metrics-server or other solutions by default. * Copyedits and improvements Signed-off-by: Misty Stanley-Jones <[email protected]> * Address feedback * fix shortcode to troubleshoot deploy (#9057) * update dynamic kubelet config docs for v1.11 (#8766) * update dynamic kubelet config docs for v1.11 * Substantial copyedit * Address feedback * Reference doc for kubeadm (release-1.11) (#9044) * Reference doc for kubeadm (release-1.11) * fix shortcode to troubleshoot deploy (#9057) * Reference doc for kube-components (release-1.11) (#9045) * Reference doc for kube-components (release-1.11) * Update cloud-controller-manager.md * fix shortcode to troubleshoot deploy (#9057) * Documentation on lowercasing kubeadm init apiserver SANs (#9059) * Documentation on lowercasing kubeadm init apiserver SANs * fix shortcode to troubleshoot deploy (#9057) * Clarification in dynamic Kubelet config doc (#9061) * Promote sysctls to Beta (#8804) * Promote sysctls to Beta * Copyedits Signed-off-by: Misty Stanley-Jones <[email protected]> * Review comments * Address feedback * More feedback * kubectl reference docs for 1.11 (#9080) * Update Kubernetes API 1.11 ref docs (#8977) * Update v1alpha1 to v1beta1. * Adjust left nav for 1.11 ref docs. * Trim list of old ref docs. * Update Federation API ref docs for 1.11. (#9064) * Update Federation API ref docs for 1.11. * Add titles. * Update definitions.html * CRD versioning Public Documentation (#8834) * CRD versioning Public Documentation * Copyedit Signed-off-by: Misty Stanley-Jones <[email protected]> * Address feedback * More rewrites * Address feedback * Update main CRD page in light of versioning * Reorg CRD docs * Further reorg * Tweak title * CSI documentation update for raw block volume support (#8927) * CSI documetation update for raw block volume support * minor edits for "CSI raw block volume support" Some small grammar and style nits. * minor CSIBlockVolume edits * Update kubectl component ref page for 1.11. (#9094) * Update kubectl component ref page for 1.11. * Add title. Replace stevepe with username. * crd versioning doc: fix nits (#9142) * Update `DynamicKubeletConfig` feature to beta (#9110) xref: kubernetes/kubernetes#64275 * Documentation for dynamic volume limits based on node type (#8871) * add cos for storage limits * Update docs specific for aws and gce * fix some minor things * Update storage-limits.md * Add k8s version to feature-state shortcode * The Doc update for ScheduleDaemonSetPods (#8842) Signed-off-by: Da K. Ma <[email protected]> * Update docs related to PersistentVolumeLabel admission control (#9109) The said admission controller is disabled by default in 1.11 (kubernetes/kubernetes#64326) and scheduled to be removed in future release. * client exec auth: updates for 1.11 (#9154) * Updates HA kubeadm docs (#9066) * Updates HA kubeadm docs Signed-off-by: Chuck Ha <[email protected]> * kubeadm HA - Add stacked control plane steps * ssh instructions and some typos in the bash scripts Signed-off-by: Chuck Ha <[email protected]> * Fix typos and copypasta errors * Fix rebase issues * Integrate more changes Signed-off-by: Chuck Ha <[email protected]> * copyedits, layout and formatting fixes * final copyedits * Adds a sanity check for load balancer connection Signed-off-by: Chuck Ha <[email protected]> * formatting fixes, copyedits * fix typos, formatting * Document the Pod Ready++ feature (#9180) Closes: #9107 Xref: kubernetes/kubernetes#64057 * Mention 'KubeletPluginsWatcher' feature (#9177) * Mention 'KubeletPluginsWatcher' feature This feature is more developers oriented than users oriented, so simply mention it in the feature gate should be fine. In future, when the design doc is migrated from Google doc to the kubernetes/community repo, we can add links to it for users who want to dig deeper. Closes: #9108 Xref: kubernetes/kubernetes#63328, kubernetes/kubernetes#64605 * Copyedit * Amend dynamic volume list docs (#9181) The dynamic volume list feature has been documented but the feature gate related was not there yet. Closes: #9105 * Document for service account projection (#9182) This adds docs for the service account projection feature. Xref: kubernetes/kubernetes#63819, kubernetes/community#1973 Closes: #9102 * Update pod priority and preemption user docs (#9172) * Update pod priority and preemption user docs * Copyedit * Documentation on setting node name with Kubeadm (#8925) * Documentation on setting node name with Kubeadm * copyedit * Add kubeadm upgrade docs for 1.11 (#9089) * Add kubeadm upgrade docs for 1.11 * Initial docs review feedback * Add 1-11 to outline * Fix formatting on tab blocks * Move file to correct location * Add `kubeadm upgrade node config` step * Overzealous ediffing * copyedit, fix lists and headings * clarify --force flag for fixing bad state * Get TOML ready for 1.11 release * Blog post for 1.11 release (#9254) * Blog post for 1.11 release * Update 2018-06-26-kubernetes-1.11-release-announcement.md * Update 2018-06-26-kubernetes-1.11-release-announcement.md * Update 2018-06-26-kubernetes-1.11-release-announcement.md
design: improved service account token volumes
Refactoring of https://docs.google.com/document/d/1Ki7K9rAC5XIAgyYJXUis1UpgwmtRq2Xz68mF3_LggEY/edit?ts=5a5e7205
@liggitt @smarterclayton
@kubernetes/sig-auth-feature-requests @kubernetes/sig-storage-feature-requests