diff --git a/keps/sig-auth/2799-reduction-of-secret-based-service-account-token/README.md b/keps/sig-auth/2799-reduction-of-secret-based-service-account-token/README.md index 1c9907ab3dc..a78a17ce462 100644 --- a/keps/sig-auth/2799-reduction-of-secret-based-service-account-token/README.md +++ b/keps/sig-auth/2799-reduction-of-secret-based-service-account-token/README.md @@ -142,9 +142,8 @@ indicates if tracking is enabled in the cluster. It is similar to the existing - the controller creates/updates a configmap in `kube-system` namespace that stores the current date as `tracked-since`. - - when a legacy token is used, issue a warning, annotate/update the - `last-used` on the secret at date granularity, and record in a metric. - optionally, add a label `in-use` for fast query. + - when a legacy token is used, issue a warning, update the label `last-used` + on the secret at date granularity, and record in a metric. - When LegacyServiceAccountTokenTracking is disabled in any apiserver, - the controller ensures the configmap in `kube-system` namespace is deleted @@ -235,10 +234,9 @@ legacy tokens for security practices. #### Alpha -> Beta Graduation -- [ ] In use by multiple distributions -- [ ] Approved by PRR and scalability -- [ ] Any known bugs fixed -- [ ] Tests passing +- [x] Approved by PRR and scalability +- [x] Any known bugs fixed +- [x] Tests passing #### LegacyServiceAccountTokenCleanUp @@ -255,7 +253,6 @@ legacy tokens for security practices. #### Alpha -> Beta Graduation -- [ ] In use by multiple distributions - [ ] Approved by PRR and scalability - [ ] Any known bugs fixed - [ ] Tests passing @@ -286,7 +283,7 @@ The only touches control plane, so version skew strategy is not applicable. ###### Does enabling the feature change any default behavior? - LegacyServiceAccountTokenNoAutoGeneration: no legacy tokens are auto-generated. -- LegacyServiceAccountTokenTracking: legacy tokens would have new annotation and a configmap would be created in kube-system. +- LegacyServiceAccountTokenTracking: legacy tokens would have new label and a configmap would be created in kube-system. - LegacyServiceAccountTokenCleanUp: unused auto-generated legacy tokens will be removed. ###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)? @@ -299,7 +296,7 @@ yes for all feature gates. before the reenablement, Token Controller would create tokens for serviceaccounts while the feature was off. - LegacyServiceAccountTokenTracking: during this sequence of operations, - only the annotation `last-used` is persisted, but there is no impact on the + only the label `last-used` is persisted, but there is no impact on the functionality of this feature. - LegacyServiceAccountTokenCleanUp: the same as enable the feature. diff --git a/keps/sig-auth/2799-reduction-of-secret-based-service-account-token/kep.yaml b/keps/sig-auth/2799-reduction-of-secret-based-service-account-token/kep.yaml index 9052fa886bf..9380dd2e64c 100644 --- a/keps/sig-auth/2799-reduction-of-secret-based-service-account-token/kep.yaml +++ b/keps/sig-auth/2799-reduction-of-secret-based-service-account-token/kep.yaml @@ -13,10 +13,10 @@ reviewers: approvers: - "@liggitt" stage: beta -latest-milestone: "v1.26" +latest-milestone: "v1.27" milestone: - alpha: "v1.24" - beta: "v1.25" + beta: "v1.24" + stable: "v1.26" feature-gates: - name: LegacyServiceAccountTokenNoAutoGeneration components: