Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TokenRequest API and Kubelet integration #542

Closed
mikedanese opened this issue Jan 18, 2018 · 72 comments · Fixed by kubernetes/kubernetes#101992
Closed

TokenRequest API and Kubelet integration #542

mikedanese opened this issue Jan 18, 2018 · 72 comments · Fixed by kubernetes/kubernetes#101992
Assignees
@zshihang
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/storage Categorizes an issue or PR as relevant to SIG Storage. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Milestone
v1.22

Comments

@mikedanese
Copy link
Member

mikedanese commented Jan 18, 2018
edited by liggitt
Loading

Improved service account tokens
@mikedanese mikedanese added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jan 18, 2018
@mikedanese mikedanese self-assigned this Jan 18, 2018
@mikedanese mikedanese added this to the v1.10 milestone Jan 18, 2018
@mikedanese mikedanese added the kind/feature Categorizes issue or PR as related to a new feature. label Jan 18, 2018
@idvoretskyi idvoretskyi added the stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status label Jan 22, 2018
@smarterclayton
Copy link
Contributor

Should we add the use of the token request API to this bug as well? Specifically, consuming those tokens and allowing the service account token injector to be specialized?

@mikedanese mikedanese changed the title TokenRequest API TokenRequest API and Kubelet integration Jan 25, 2018
@mikedanese
Copy link
Member Author

@smarterclayton added that to this feature.

@idvoretskyi idvoretskyi added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Jan 29, 2018
@Bradamant3
Copy link
Contributor

@mikedanese this item is listed on the feature tracking spreadsheet for 1.10 as needing docs. Does it in fact need them? If not, could you please update here? If so, could you please get a docs PR in against the 1.10 branch of the k8s/website repo asap? Thanks!

@Bradamant3
Copy link
Contributor

@mikedanese @smarterclayton docs update please? We need to get docs PRs merged by this Friday (March 9). Thanks!
/cc @idvoretskyi

@mikedanese
Copy link
Member Author

I added a comment. No docs needed.

@mikedanese mikedanese modified the milestones: v1.10, v1.11 Apr 12, 2018
@davidz627 davidz627 mentioned this issue Apr 13, 2018
Closed
@justaugustus
Copy link
Member

@mikedanese
Any plans for this in 1.11?

If so, can you please ensure the feature is up-to-date with the appropriate:

  • Description
  • Milestone
  • Assignee(s)
  • Labels:
    • stage/{alpha,beta,stable}
    • sig/*
    • kind/feature

cc @idvoretskyi

@mdlinville
Copy link

@mikedanese please fill out the appropriate line item of the
1.11 feature tracking spreadsheet
and open a placeholder docs PR against the
release-1.11 branch
by 5/25/2018 (tomorrow as I write this) if new docs or docs changes are
needed and a relevant PR has not yet been opened.

@justaugustus
Copy link
Member

@mikedanese -- We're doing one more sweep of the 1.11 Features tracking spreadsheet.
Would you mind filling in any incomplete / blank fields for this feature's line item?

@justaugustus justaugustus removed the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Jul 18, 2018
@kacole2
Copy link

kacole2 commented Jul 23, 2018

@mikedanese This feature was worked on in the previous milestone, so we'd like to check in and see if there are any plans for this to graduate stages in Kubernetes 1.12.

If there are any updates, please explicitly ping @justaugustus, @kacole2, @robertsandoval, @rajendar38 to note that it is ready to be included in the Features Tracking Spreadsheet for Kubernetes 1.12.

Please note that the Features Freeze is July 31st, after which any incomplete Feature issues will require an Exception request to be accepted into the milestone.

In addition, please be aware of the following relevant deadlines:

  • Docs deadline (open placeholder PRs): 8/21
  • Test case freeze: 8/28

Please make sure all PRs for features have relevant release notes included as well.

Happy shipping!

@justaugustus justaugustus removed this from the v1.11 milestone Jul 31, 2018
@mikedanese mikedanese added stage/beta Denotes an issue tracking an enhancement targeted for Beta status and removed stage/alpha Denotes an issue tracking an enhancement targeted for Alpha status labels Jul 31, 2018
@mikedanese mikedanese added this to the v1.12 milestone Jul 31, 2018
@mikedanese
Copy link
Member Author

This is going to beta in 1.12

@justaugustus
Copy link
Member

Thanks for the update. I've added this to the 1.12 tracking sheet.

cc: @kacole2 @wadadli @robertsandoval @rajendar38

@justaugustus justaugustus added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Aug 4, 2018
@munnerz munnerz mentioned this issue Aug 15, 2018
Closed
@zparnold
Copy link
Member

Hey there! @mikedanese I'm the wrangler for the Docs this release. Is there any chance I could have you open up a docs PR against the release-1.12 branch as a placeholder? That gives us more confidence in the feature shipping in this release and gives me something to work with when we start doing reviews/edits. Thanks! If this feature does not require docs, could you please update the features tracking spreadsheet to reflect it?

@justaugustus
Copy link
Member

@mikedanese --
Any update on docs status for this feature? Are we still planning to land it for 1.12?
At this point, code freeze is upon us, and docs are due on 9/7 (2 days).
If we don't here anything back regarding this feature ASAP, we'll need to remove it from the milestone.

cc: @zparnold @jimangel @tfogo

@k8s-ci-robot k8s-ci-robot added the sig/storage Categorizes an issue or PR as relevant to SIG Storage. label May 12, 2021
@zshihang
Copy link
Contributor

nope

@zshihang zshihang mentioned this issue May 13, 2021
Merged
@PI-Victor
Copy link
Member

PI-Victor commented May 18, 2021
edited
Loading

Hello @zshihang 👋, 1.22 Docs release lead here.

This enhancement is marked as ‘Needs Docs’ for 1.22 release.

Please follow the steps detailed in the documentation to open a PR against dev-1.22 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Fri July 9, 11:59 PM PDT.
 Also, take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

p.s.: please remember to update the feature gates table for BoundServiceAccountTokenVolume graduation.

@reylejano
Copy link
Member

Hi @zshihang,

With kubernetes/kubernetes#101992 merged, we will mark this as code complete for the 1.22 release 🎉

@PI-Victor
Copy link
Member

Heya @zshihang, please see my comment above regarding the docs placeholder PR, deadline is approaching,
thank you!

@zshihang zshihang mentioned this issue Jun 22, 2021
Merged
@reylejano
Copy link
Member

reylejano commented Jun 23, 2021
edited
Loading

Hi @zshihang,
We're just over 2 weeks away from code freeze (July 8, 2021). Other than kubernetes/kubernetes#101992 , are there any additional open or merged k/k PRs we should be tracking for the 1.22 release?
Thank you!

@arianvp arianvp mentioned this issue Aug 14, 2021
Closed
@ldemailly ldemailly mentioned this issue May 13, 2022
Closed
@iciclespider iciclespider mentioned this issue May 17, 2022
Closed
@michelesr michelesr mentioned this issue May 18, 2022
Closed
michelesr added a commit to citizensadvice/kube-schedule-scaler that referenced this issue May 18, 2022
@michelesr
Fix stale serviceaccount tokens
2d794f6 
Kubernetes version 1.21 graduated BoundServiceAccountTokenVolume feature
to beta and enabled it by default. This feature improves security of
service account tokens by requiring a one hour expiry time, over the
previous default of no expiration. This means that applications that do
not refetch service account tokens periodically will receive an HTTP 401
unauthorized error response on requests to Kubernetes API server with
expired tokens

kubernetes/enhancements#542

This commit forces kube-schedule-scaler to refresh token every minute,
and acts as workaround at least until pykube-ng implements automatic
token renewal.
@michelesr michelesr mentioned this issue May 18, 2022
Merged
JacobHenner added a commit to JacobHenner/kubernetes_asyncio that referenced this issue May 18, 2022
@JacobHenner
Periodically refresh ServiceAccount tokens
b5fc07f 
Periodically refresh ServiceAccount tokens. This is required to avoid
authentication errors when time-bound tokens [1] are rotated, and the
initially-read token expires. Time bound tokens are beta in Kubernetes
1.21, and GA in 1.22 [2].

[1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens
[2]: kubernetes/enhancements#542
@JacobHenner JacobHenner mentioned this issue May 18, 2022
Merged
@DonnyOlijslager DonnyOlijslager mentioned this issue May 19, 2022
Open
JacobHenner added a commit to JacobHenner/kubernetes_asyncio that referenced this issue May 23, 2022
@JacobHenner
Periodically refresh ServiceAccount tokens
f740775 
Periodically refresh ServiceAccount tokens. This is required to avoid
authentication errors when time-bound tokens [1] are rotated, and the
initially-read token expires. Time bound tokens are beta in Kubernetes
1.21, and GA in 1.22 [2].

[1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens
[2]: kubernetes/enhancements#542
@vgaddavcg vgaddavcg mentioned this issue May 24, 2022
Closed
tomplus pushed a commit to tomplus/kubernetes_asyncio that referenced this issue May 24, 2022
@JacobHenner
Periodically refresh ServiceAccount tokens (#205)
50fc5f8 
Periodically refresh ServiceAccount tokens. This is required to avoid
authentication errors when time-bound tokens [1] are rotated, and the
initially-read token expires. Time bound tokens are beta in Kubernetes
1.21, and GA in 1.22 [2].

[1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens
[2]: kubernetes/enhancements#542
tomplus pushed a commit to tomplus/kubernetes_asyncio that referenced this issue May 24, 2022
@JacobHenner @tomplus
Periodically refresh ServiceAccount tokens (#205)
d2f87db 
Periodically refresh ServiceAccount tokens. This is required to avoid
authentication errors when time-bound tokens [1] are rotated, and the
initially-read token expires. Time bound tokens are beta in Kubernetes
1.21, and GA in 1.22 [2].

[1]: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens
[2]: kubernetes/enhancements#542
@davidegiunchi davidegiunchi mentioned this issue May 27, 2022
Closed
@cilindrox cilindrox mentioned this issue Jun 6, 2022
Open
@junjunjunk junjunjunk mentioned this issue Jun 22, 2022
Closed
@HarshadRanganathan HarshadRanganathan mentioned this issue Aug 19, 2022
Open
@rhockenbury rhockenbury removed the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Sep 20, 2022
@yurique yurique mentioned this issue Dec 3, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zshihang zshihang

Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/storage Categorizes an issue or PR as relevant to SIG Storage. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
SIG Auth
Archived in project
Milestone
v1.22
Development

Successfully merging a pull request may close this issue.

BoundServiceAccountTokenVolume ga zshihang/kubernetes