Skip to content

Commit

Permalink
update KEP-2799
Browse files Browse the repository at this point in the history
  • Loading branch information
zshihang committed Dec 15, 2022
1 parent 4a1b8e0 commit 3f4a135
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 12 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -142,9 +142,8 @@ indicates if tracking is enabled in the cluster. It is similar to the existing

- the controller creates/updates a configmap in `kube-system` namespace that
stores the current date as `tracked-since`.
- when a legacy token is used, issue a warning, annotate/update the
`last-used` on the secret at date granularity, and record in a metric.
optionally, add a label `in-use` for fast query.
- when a legacy token is used, issue a warning, update the label `last-used`
on the secret at date granularity, and record in a metric.

- When LegacyServiceAccountTokenTracking is disabled in any apiserver,
- the controller ensures the configmap in `kube-system` namespace is deleted
Expand Down Expand Up @@ -235,10 +234,10 @@ legacy tokens for security practices.

#### Alpha -> Beta Graduation

- [ ] In use by multiple distributions
- [ ] Approved by PRR and scalability
- [ ] Any known bugs fixed
- [ ] Tests passing
- [x] In use by multiple distributions
- [x] Approved by PRR and scalability
- [x] Any known bugs fixed
- [x] Tests passing

#### LegacyServiceAccountTokenCleanUp

Expand Down Expand Up @@ -286,7 +285,7 @@ The only touches control plane, so version skew strategy is not applicable.
###### Does enabling the feature change any default behavior?

- LegacyServiceAccountTokenNoAutoGeneration: no legacy tokens are auto-generated.
- LegacyServiceAccountTokenTracking: legacy tokens would have new annotation and a configmap would be created in kube-system.
- LegacyServiceAccountTokenTracking: legacy tokens would have new label and a configmap would be created in kube-system.
- LegacyServiceAccountTokenCleanUp: unused auto-generated legacy tokens will be removed.

###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)?
Expand All @@ -299,7 +298,7 @@ yes for all feature gates.
before the reenablement, Token Controller would create tokens for
serviceaccounts while the feature was off.
- LegacyServiceAccountTokenTracking: during this sequence of operations,
only the annotation `last-used` is persisted, but there is no impact on the
only the label `last-used` is persisted, but there is no impact on the
functionality of this feature.
- LegacyServiceAccountTokenCleanUp: the same as enable the feature.

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@ reviewers:
approvers:
- "@liggitt"
stage: beta
latest-milestone: "v1.26"
latest-milestone: "v1.27"
milestone:
alpha: "v1.24"
beta: "v1.25"
beta: "v1.24"
stable: "v1.26"
feature-gates:
- name: LegacyServiceAccountTokenNoAutoGeneration
components:
Expand Down

0 comments on commit 3f4a135

Please sign in to comment.