Reduction of Secret-based Service Account Tokens

[zshihang]

Enhancement Description

• One-line enhancement description: reduce secret-based service account tokens

• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2799-reduction-of-secret-based-service-account-token

• Discussion Link: sig-auth

• Primary contact (assignee): @zshihang, @yt2985

• Responsible SIGs: sig-auth

• Enhancement target (which target equals to which milestone):

  • LegacyServiceAccountTokenNoAutoGeneration feature gate
    • Beta release target (x.y): 1.24
    • Stable release target (x.y): 1.26
  • LegacyServiceAccountTokenTracking feature gate
    • Alpha release target (x.y): 1.26
    • Beta release target (x.y): 1.27
    • Stable release target (x.y): 1.28
  • LegacyServiceAccountTokenCleanUp feature gate
    • Alpha release target (x.y): 1.28
    • Beta release target (x.y): 1.29
    • Stable release target (x.y): 1.30

• 1.24

  • KEP (k/enhancements) update PR(s):
    • KEP-2799: Reduction of Secret-based Service Account Tokens #2800
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenNoAutoGeneration
      • no auto-generation of secret-based service account token kubernetes#108309
  • Docs (k/website) update PR(s):
    • Stop recommending people scrape auto-generated service account tokens website#31845
    • Fixup service account token doc website#31894
    • New feature 'LegacyServiceAccountTokenNoAutoGeneration' website#32339

• 1.25

  • KEP (k/enhancements) update PR(s):
    • KEP-2799: Update for 1.25 #3393

• 1.26

  • KEP (k/enhancements) update PR(s):
    • KEP-2799: LegacyServiceAccountTokenNoAutoGeneration ga and LegacyServiceAccountTokenTracking alpha #3536
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenNoAutoGeneration
      • graduate LegacyServiceAccountTokenNoAutoGeneration to ga kubernetes#112838
    • LegacyServiceAccountTokenTracking
      • track legacy service account tokens kubernetes#108858
  • Docs (k/website) update(s):
    • update doc of KEP-2799 website#37483

• 1.27

  • KEP (k/enhancements) update PR(s):
    • KEP-2799: update for LegacyServiceAccountTokenTracking beta #3696
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenNoAutoGeneration
      • lock LegacyServiceAccountTokenNoAutoGeneration kubernetes#114522
    • LegacyServiceAccountTokenTracking
      • graduate LegacyServiceAccountTokenTracking to beta kubernetes#114523
  • Docs (k/website) update(s):
    • LegacyServiceAccountTokenNoAutoGeneration / LegacyServiceAccountTokenTracking gate PR - update LegacyServiceAccountTokenTracking to beta website#40066

• 1.28

  • KEP (k/enhancements) update PR(s):
    • update kep-2799 #3964
    • KEP-2799: update latest-milestone to 1.28 #4135
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenTracking
      • graduate LegacyServiceAccountTokenTracking to GA kubernetes#117591
    • LegacyServiceAccountTokenCleanUp
      • LegacyServiceAccountTokenCleanUp alpha kubernetes#115554
  • Docs (k/website) update(s):
    • Add LegacyServiceAccountTokenCleanUp feature in alpha; move LegacyServiceAccountTokenTracking to GA website#41341

• 1.29

  • KEP (k/enhancements) update PR(s):
    • Revise KEP 2799-reduction-of-secret-based-service-account-token for LegacyServiceaccountTokenCleanup feature. #4157
  • Code (k/k) update PR(s):
    • LegacyServiceAccountTokenCleanUp
      • LegacyServiceAccountTokenCleanUp beta kubernetes#120682
  • Docs (k/website) update(s):
    • Add LegacyServiceAccountTokenCleanUp feature in beta website#43563

[zshihang]

/sig auth

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[enj]

/remove-lifecycle stale
/lifecycle frozen

[gracenng]

Hi @zshihang , 1.24 Enhancements Lead here. Will this enhancement (both features) be in alpha for 1.24?
Thanks

[zshihang]

LegacyServiceAccountTokenNoAutoGeneration would be beta in 1.24; LegacyServiceAccountTokenTracking and LegacyServiceAccountTokenCleanUp would be alpha in 1.24.

[gracenng]

Cross posted in PR
Hi @zshihang ! 1.24 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00pm PT on Thursday Feb 3rd. I'll mark this as beta while awaiting your confirmation
Here’s where this enhancement currently stands:

• Updated KEP file using the latest template has been merged into the k/enhancements repo KEP-2799: Reduction of Secret-based Service Account Tokens #2800
• KEP status is marked as implementable for this release with latest-milestone: 1.24
• KEP has a test plan section filled out.
• KEP has up to date graduation criteria.
• KEP has a production readiness review that has been completed and merged into k/enhancements.

The status of this enhancement is track as at risk. @zshihang, you replied "done" in the PR but it has not been merged. Did I miss something?
Thanks!

[liggitt]

@gracenng the linked PR has now merged. can you confirm this is in good shape for enhancements freeze?

[gracenng]

Thanks for the ping @liggitt . Updated status to tracked, all good for enhancements freeze

[chrisnegus]

Hi @zshihang 👋 1.24 Docs shadow here.

This enhancement is marked as 'Needs Docs' for the 1.24 release.

Please follow the steps detailed in the documentation to open a PR against the dev-1.24 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thu March 31, 11:59 PM PDT.

Also, if needed take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thanks!

[gracenng]

Hi @zshihang 1.24 Enhancements Team here,

With Code Freeze approaching on 18:00 PDT Tuesday March 29th 2022, the enhancement status is at risk as there is no linked k/k PR. Kindly list them in this issue. Thanks!

[liggitt]

updated description with code and docs PRs

[chrisnegus]

@liggitt Thanks for adding links to the docs PRs. Is that all the documentation required for this KEP in 1.24?

[liggitt]

the unchecked items represent work yet to be done

[liggitt]

Targeting promotion to stable in 1.30

[sreeram-venkitesh]

Hello @zshihang 👋, Enhancements team here.

Just checking in as we approach enhancements freeze on 02:00 UTC Friday 9th February 2024.

This enhancement is targeting for stage stable for v1.30 (correct me, if otherwise)

Here's where this enhancement currently stands:

• KEP readme using the latest template has been merged into the k/enhancements repo.
• KEP status is marked as implementable for latest-milestone: 1.30. KEPs targeting stable will need to be marked as implemented after code PRs are merged and the feature gates are removed.
• KEP readme has up-to-date graduation criteria
• KEP has a production readiness review that has been completed and merged into k/enhancements. (For more information on the PRR process, check here).

For this KEP, we would just need to update the following:

• Raise a PR updating latest-milestone in kep.yaml to 1.30 and stage as stable

The status of this enhancement is marked as at risk for enhancement freeze. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[liggitt]

#4465 should address #2799 (comment)

[sreeram-venkitesh]

Thanks! Marking this KEP as Tracked for enhancements freeze!

[chanieljdan]

Hi @liggitt, @zshihang 👋, 1.30 Docs Shadow here.

Does this enhancement work planned for 1.30 require any new docs or modification to existing docs?
If so, please follows the steps here to open a PR against dev-1.30 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday February 22nd 2024 18:00 PDT.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

(At a minimum, please remember to update the feature flags to stable for this release ✨)

[fkautz]

Hi @zshihang, @yt2985

👋 from the v1.30 Communications Team! We'd love for you to opt in to write a feature blog about your enhancement!

We encourage blogs for features including, but not limited to: breaking changes, features and changes important to our users, and features that have been in progress for a long time and are graduating.

To opt in, you need to open a Feature Blog placeholder PR against the website repository.
The placeholder PR deadline is 27th February, 2024.
Here's the 1.30 Release Calendar

[chanieljdan]

Hi @liggitt, @zshihang 👋, 1.30 Docs Shadow here.

Does this enhancement work planned for 1.30 require any new docs or modification to existing docs? If so, please follows the steps here to open a PR against dev-1.30 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thursday February 22nd 2024 18:00 PDT.

Also, take a look at Documenting for a release to get yourself familiarize with the docs requirement for the release.

Thank you!

(At a minimum, please remember to update the feature flags to stable for this release ✨)

We'll need a stability version bumping PR at a minimum. Thanks!

[yt2985]

Thank you for the reminder, @chanieljdan! I opened kubernetes/website#45253 for the stability version bumping up.

[sftim]

Are there any code changes expected for v1.30 (eg: changing some feature gates from beta to stable)? I see a docs PR but no code change.

[liggitt]

Just the gate promotion in kubernetes/kubernetes#122635

[sreeram-venkitesh]

Hey again @zshihang 👋 v1.30 Enhancements team here,

Just checking in as we approach code freeze at 02:00 UTC Wednesday 6th March 2024 .

Here's where this enhancement currently stands:

• All PRs to the Kubernetes repo that are related to your enhancement are linked in the above issue description (for tracking purposes).
• All PR/s are ready to be merged (they have approved and lgtm labels applied) by the code freeze deadline. This includes tests.

For this enhancement, with below PRs merged as per the issue description, this enhancement is now marked as tracked for code freeze for the 1.30 Code Freeze! 🚀

• Promote LegacyServiceAccountTokenCleanUp to GA kubernetes#122635

Also, please let me know if there are other PRs in k/k we should be tracking for this KEP. As always, we are here to help if any questions come up. Thanks!

[yt2985]

Hi @sreeram-venkitesh, the PR kubernetes/website#45253 is now open for the doc change. Thank you!

[liggitt]

KEP marked as implemented / stable in 1.30

/close

[k8s-ci-robot]

@liggitt: Closing this issue.

In response to this:

KEP marked as implemented / stable in 1.30

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[MageshSrinivasulu]

Ideally, this feature should not clean up the manually created legacy service account token. But only clean up the auto-generated ones.

[yt2985]

Ideally, this feature should not clean up the manually created legacy service account token. But only clean up the auto-generated ones.

Right, when the manually created service account is correctly used, it will not be cleaned by this cleaner: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#:~:text=you%20just%20created.-,Caution%3A,-Do%20not%20reference