Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reword tasks relating to ServiceAccounts #33654

Conversation

sftim
Copy link
Contributor

@sftim sftim commented May 13, 2022

This adapts and supersedes PR #14681.

Fixes #37181

/sig auth

@k8s-ci-robot k8s-ci-robot added sig/auth Categorizes an issue or PR as relevant to SIG Auth. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 13, 2022
@sftim sftim marked this pull request as draft May 13, 2022 18:28
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. language/en Issues or PRs related to English language labels May 13, 2022
@k8s-ci-robot k8s-ci-robot added the sig/docs Categorizes an issue or PR as relevant to SIG Docs. label May 13, 2022
@netlify
Copy link

netlify bot commented May 13, 2022

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit a4629cd
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/63534de308064d000871dc0f
😎 Deploy Preview https://deploy-preview-33654--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@sftim sftim force-pushed the 20190601_task_configure_service_account_reword branch from d351bc7 to 4c5a40b Compare May 14, 2022 08:16
@sftim sftim marked this pull request as ready for review May 14, 2022 08:19
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 14, 2022
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 15, 2022
@sftim sftim force-pushed the 20190601_task_configure_service_account_reword branch from 4c5a40b to bd13ef7 Compare June 26, 2022 20:47
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jun 26, 2022
@sftim sftim force-pushed the 20190601_task_configure_service_account_reword branch from bd13ef7 to 87d16b1 Compare June 26, 2022 20:48
@sftim
Copy link
Contributor Author

sftim commented Jul 14, 2022

I recommend getting a technical review from SIG Auth for this one.

- If the spec of the incoming Pod does already contain any `imagePullSecrets`, then the
admission controller adds `imagePullSecrets`, copying them from the `ServiceAccount`.

### TokenRequest API
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be worth mentioning the new kubectl create token feature here as that uses the TokenRequest API and could be used by end-users to generate new tokens?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe. Is that a “makes the page better” change, or a “page doesn't make sense without it”. If it's the former, I'd prefer to move this one forward towards merge, and also track an issue about also documenting kubectl create token - maybe with a new task page.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How's this new wording?

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Jul 26, 2022
@liggitt
Copy link
Member

liggitt commented Aug 23, 2022

looks like this might overlap with other already merged changes or in-flight PRs... I can take a look once it's deconflicted with current content

@sftim sftim marked this pull request as draft August 23, 2022 16:35
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 23, 2022
@sftim
Copy link
Contributor Author

sftim commented Aug 23, 2022

If anyone wants to borrow text from this PR, go ahead - it's got a CLA signoff. A Co-Authored-By: credit would be nice.

I also hope to revisit this after the 1.25 release.

@sftim sftim force-pushed the 20190601_task_configure_service_account_reword branch from 87d16b1 to f87e505 Compare October 4, 2022 10:52
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 4, 2022
@sftim
Copy link
Contributor Author

sftim commented Oct 6, 2022

May help with #32655

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 6, 2022
@sftim sftim force-pushed the 20190601_task_configure_service_account_reword branch from f87e505 to 762f686 Compare October 7, 2022 15:01
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 7, 2022
@sftim sftim force-pushed the 20190601_task_configure_service_account_reword branch from 762f686 to 7e00f0d Compare October 7, 2022 15:04
@sftim sftim marked this pull request as ready for review October 7, 2022 15:05
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 7, 2022
@sftim
Copy link
Contributor Author

sftim commented Oct 13, 2022

looks like this might overlap with other already merged changes or in-flight PRs... I can take a look once it's deconflicted with current content

@liggitt this should be current enough to review

This mechanism superseded an earlier mechanism that added a volume based on a Secret,
where the Secret represented the ServiceAccount for the Pod, but did not expire.
1. A `configMap` source. The ConfigMap contains a bundle of certificate authority data. Pods can use these
certificates to make sure that they are connecting to your cluster's kube-apiserver (and not to middlebox
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

middlebox?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://en.wikipedia.org/wiki/Middlebox - that's the term I'd use

sftim added 3 commits October 22, 2022 02:56
Now that TokenRequest is the default way to get a service account token
for a Pod, update the task pages that relate to this.
@sftim sftim force-pushed the 20190601_task_configure_service_account_reword branch from 7e00f0d to a4629cd Compare October 22, 2022 01:56
@sftim
Copy link
Contributor Author

sftim commented Oct 22, 2022

Updated with fixes

@liggitt
Copy link
Member

liggitt commented Oct 24, 2022

updates lgtm

@liggitt
Copy link
Member

liggitt commented Oct 24, 2022

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 24, 2022
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: fcc32ea69be6d3a0b213bc23c1686567cd6add0c

@reylejano
Copy link
Member

This PR has an lgtm from a SIG Auth TL
The changes look good and good to see more of kubectl create token in the docs
/label refactor
/approve

@k8s-ci-robot k8s-ci-robot added the refactor Indicates a PR with large refactoring changes e.g. removes files or moves content label Nov 9, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: reylejano

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 9, 2022
@k8s-ci-robot k8s-ci-robot merged commit f324805 into kubernetes:main Nov 9, 2022
@sftim sftim deleted the 20190601_task_configure_service_account_reword branch November 9, 2022 22:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language lgtm "Looks good to me", indicates that a PR is ready to be merged. refactor Indicates a PR with large refactoring changes e.g. removes files or moves content sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/docs Categorizes an issue or PR as relevant to SIG Docs. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
Archived in project
5 participants