-
Notifications
You must be signed in to change notification settings - Fork 14.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reword tasks relating to ServiceAccounts #33654
Reword tasks relating to ServiceAccounts #33654
Conversation
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site settings. |
d351bc7
to
4c5a40b
Compare
4c5a40b
to
bd13ef7
Compare
bd13ef7
to
87d16b1
Compare
I recommend getting a technical review from SIG Auth for this one. |
- If the spec of the incoming Pod does already contain any `imagePullSecrets`, then the | ||
admission controller adds `imagePullSecrets`, copying them from the `ServiceAccount`. | ||
|
||
### TokenRequest API |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would it be worth mentioning the new kubectl create token
feature here as that uses the TokenRequest API and could be used by end-users to generate new tokens?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe. Is that a “makes the page better” change, or a “page doesn't make sense without it”. If it's the former, I'd prefer to move this one forward towards merge, and also track an issue about also documenting kubectl create token
- maybe with a new task page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How's this new wording?
looks like this might overlap with other already merged changes or in-flight PRs... I can take a look once it's deconflicted with current content |
If anyone wants to borrow text from this PR, go ahead - it's got a CLA signoff. A I also hope to revisit this after the 1.25 release. |
87d16b1
to
f87e505
Compare
May help with #32655 |
f87e505
to
762f686
Compare
762f686
to
7e00f0d
Compare
@liggitt this should be current enough to review |
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
Outdated
Show resolved
Hide resolved
This mechanism superseded an earlier mechanism that added a volume based on a Secret, | ||
where the Secret represented the ServiceAccount for the Pod, but did not expire. | ||
1. A `configMap` source. The ConfigMap contains a bundle of certificate authority data. Pods can use these | ||
certificates to make sure that they are connecting to your cluster's kube-apiserver (and not to middlebox |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
middlebox?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
https://en.wikipedia.org/wiki/Middlebox - that's the term I'd use
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
Outdated
Show resolved
Hide resolved
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
Outdated
Show resolved
Hide resolved
content/en/docs/tasks/configure-pod-container/configure-service-account.md
Outdated
Show resolved
Hide resolved
content/en/docs/tasks/configure-pod-container/configure-service-account.md
Outdated
Show resolved
Hide resolved
Now that TokenRequest is the default way to get a service account token for a Pod, update the task pages that relate to this.
7e00f0d
to
a4629cd
Compare
Updated with fixes |
updates lgtm |
/lgtm |
LGTM label has been added. Git tree hash: fcc32ea69be6d3a0b213bc23c1686567cd6add0c
|
This PR has an lgtm from a SIG Auth TL |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: reylejano The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This adapts and supersedes PR #14681.
Fixes #37181
/sig auth