KSA token for Kubelet image credential providers alpha by aramase · Pull Request #128372 · kubernetes/kubernetes

aramase · 2024-10-28T06:11:15Z

Expand the on-disk kubelet credential provider configuration to allow an optional tokenAttribute field to be configured. When this field is not set, no KSA token will be sent to the plugin. When it is set, the Kubelet will provision a token with the given audience bound to the current pod and its service account. This KSA token along with required annotations on the KSA defined in configuration will be sent to the credential provider plugin via its standard input (along with the image information that is already sent today). The KSA annotations to be sent are configurable in the kubelet credential provider configuration.

/kind feature
/sig auth
/triage accepted
/milestone v1.32
/priority important-soon

Expanded the on-disk kubelet credential provider configuration to allow an optional `tokenAttribute` field to be configured. When it is set, the Kubelet will provision a token with the given audience bound to the current pod and its service account. This KSA token along with required annotations on the KSA defined in configuration will be sent to the credential provider plugin via its standard input (along with the image information that is already sent today). The KSA annotations to be sent are configurable in the kubelet credential provider configuration.

[KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4412-projected-service-account-tokens-for-kubelet-image-credential-providers/README.md

k8s-ci-robot · 2024-10-28T06:11:17Z

@aramase: You must be a member of the kubernetes/milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Milestone Maintainers Team and have them propose you as an additional delegate for this responsibility.

Details

In response to this:

TODO

/kind feature
/sig auth
/triage accepted
/milestone v1.32
/priority important-soon
TODO
[KEP]: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/4412-projected-service-account-tokens-for-kubelet-image-credential-providers/README.md

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Vyom-Yadav · 2024-10-30T05:46:03Z

Hey @aramase
I see this PR is being actively worked on and is tagged for the v1.32 release.

Just a reminder that the code freeze is starting 02:00 UTC Friday November 8th 2024 (about 1 week from now). Please make sure the PR has both lgtm and approved labels before the code freeze. Thanks!

stlaz · 2025-02-19T13:16:35Z

#128372 (comment) is still true (but github is hiding it), please consider this when investing further in testing private image pulling ... we really need an answer that doesn't depend on a fixed SaaS with permanently valid credentials. My suggestion is an in-cluster registry stood up by e2e with some tiny test image (pause?)

I created an issue for sig-node - #130271 to track this. As far as I can tell, at least one of the NodeConformance tests would be affected, hopefully this will be prioritized in a triage.

stlaz · 2025-02-19T13:54:26Z

/test pull-kubernetes-node-kubelet-credential-provider
/test pull-kubernetes-e2e-gce-kubelet-credential-provider
these test failures appear to refer to a featuregate that was removed from the suites in master?

liggitt · 2025-02-19T14:14:07Z

/test pull-kubernetes-node-kubelet-credential-provider /test pull-kubernetes-e2e-gce-kubelet-credential-provider these test failures appear to refer to a featuregate that was removed from the suites in master?

just removed in #130162 and broke these test suites

stlaz · 2025-02-20T12:04:11Z

Thanks for the info 👍 I see there were some fixes, I'll try to rerun again and perhaps see if more fixing is needed.

/test pull-kubernetes-node-kubelet-credential-provider
/test pull-kubernetes-e2e-gce-kubelet-credential-provider

stlaz · 2025-02-20T13:41:50Z

I haven't dealt with k8s test infra before but kubernetes/test-infra#34374 should hopefully fix the permafails in these and couple other jobs.

aramase · 2025-02-24T01:42:20Z

/retest

stlaz · 2025-02-24T11:09:28Z

kubernetes/kops#17270 merged, let's see if it got picked by the CI

/test pull-kubernetes-node-kubelet-credential-provider
/test pull-kubernetes-e2e-gce-kubelet-credential-provider

Rajalakshmi-Girish · 2025-02-24T11:47:24Z

Hello @aramase @stlaz
Thanks for actively working on this PR.

Friendly reminder that code freeze is starting at 02:00 UTC Friday 21st March 2025 (about 4 weeks from now), and while there is still time, we want to ensure that each PR has a chance to be merged on time.

Please make sure the PR has both lgtm and approved labels before the code freeze. Thanks!

aramase · 2025-02-24T15:02:18Z

/assign @mrunalp

@mrunalp could you review the PR?

cross posting my comment from slack (xref: https://kubernetes.slack.com/archives/C04UMAUC4UA/p1738772703138039?thread_ts=1738000047.329689&cid=C04UMAUC4UA)

@mrunalp
fyi, we have a LGTM from SIG Auth. Looking for review and approval for the node changes and after that we'll get the API bits reviewed with Jordan. LMK if you have any questions as you review the PR.

aramase · 2025-02-24T15:23:38Z

kubernetes/kops#17270 merged, let's see if it got picked by the CI

/test pull-kubernetes-node-kubelet-credential-provider /test pull-kubernetes-e2e-gce-kubelet-credential-provider

thanks @stlaz for opening kubernetes/test-infra#34374. CI failures in this PR (*-kubelet-credential-provider) should be resolved after that's merged.

haircommander · 2025-03-03T21:20:48Z

this LGTM thanks @aramase

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

liggitt · 2025-03-12T05:25:13Z

/lgtm
/approve

k8s-ci-robot · 2025-03-12T05:25:19Z

LGTM label has been added.

Details

Git tree hash: b74ac7e23d53f50e5e9760a3f46c85f912b366bc

k8s-ci-robot · 2025-10-05T16:15:20Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: aramase, enj, hashim21223445, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~pkg/credentialprovider/OWNERS~~ [enj,liggitt]
~~pkg/features/OWNERS~~ [enj,liggitt]
~~pkg/generated/openapi/OWNERS~~ [liggitt]
~~pkg/kubelet/OWNERS~~ [liggitt]
~~pkg/kubelet/apis/config/OWNERS~~ [liggitt]
~~plugin/pkg/auth/authorizer/OWNERS~~ [liggitt]
~~staging/src/k8s.io/kubelet/config/OWNERS~~ [liggitt]
~~staging/src/k8s.io/kubelet/pkg/apis/OWNERS~~ [liggitt]
~~test/OWNERS~~ [enj,liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

aramase changed the title ~~PSAT for Kubelet image credential providers alpha~~ [WIP] PSAT for Kubelet image credential providers alpha Oct 28, 2024

k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/node Categorizes an issue or PR as relevant to SIG Node. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Oct 28, 2024

k8s-ci-robot requested review from enj and ffromani October 28, 2024 06:11

aramase mentioned this pull request Oct 28, 2024

Projected service account tokens for Kubelet image credential providers kubernetes/enhancements#4412

Open

28 tasks

k8s-ci-robot added this to the v1.32 milestone Oct 28, 2024

aramase force-pushed the aramase/f/kep_4412_alpha_impl branch from 8236d95 to f6c268d Compare October 31, 2024 17:03

k8s-ci-robot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Oct 31, 2024

aramase force-pushed the aramase/f/kep_4412_alpha_impl branch 5 times, most recently from 8ab96f0 to 8b87dd2 Compare November 1, 2024 06:41

k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Nov 1, 2024

stlaz mentioned this pull request Feb 19, 2025

Kubelet's e2e tests need a new mechanism for private image pull tests #130271

Closed

liggitt reviewed Mar 7, 2025

View reviewed changes

Comment thread pkg/credentialprovider/plugin/config.go Outdated

liggitt reviewed Mar 7, 2025

View reviewed changes

aramase mentioned this pull request Mar 11, 2025

[KEP-4412] follow-ups from alpha implementation #130709

Closed

3 tasks

liggitt reviewed Mar 11, 2025

View reviewed changes

aramase added 4 commits March 11, 2025 19:24

Add TokenAttributes field to v1 CredentialProvider

ba2eecc

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Add service account token and annotation to v1 CredentialProviderRequest

dd7b9f6

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

Add KubeletServiceAccountTokenForCredentialProviders feature gate

d398de2

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

node authorizer changes to allow read on svcaccounts

6defd8c

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

liggitt reviewed Mar 12, 2025

View reviewed changes

Comment thread pkg/kubelet/kubelet.go Outdated

aramase added 2 commits March 11, 2025 20:36

Update credential provider plugin to support using service account token

ad8666c

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

add e2e test with the gcp-credential-provider test plugin

2090a01

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

aramase mentioned this pull request Mar 12, 2025

Define type alias for getServiceAccount function #130749

Merged

stlaz mentioned this pull request Mar 14, 2025

Ensure Secret Image Pulls for service accounts #130808

Closed

dereknola mentioned this pull request Apr 29, 2025

Update kubernetes to v1.33 and golang 1.24 rancher/wharfie#34

Merged

hashim21223445 approved these changes Oct 5, 2025

View reviewed changes

Conversation

aramase commented Oct 28, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

k8s-ci-robot commented Oct 28, 2024

Uh oh!

Vyom-Yadav commented Oct 30, 2024

Uh oh!

stlaz commented Feb 19, 2025

Uh oh!

stlaz commented Feb 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

liggitt commented Feb 19, 2025

Uh oh!

stlaz commented Feb 20, 2025

Uh oh!

stlaz commented Feb 20, 2025

Uh oh!

aramase commented Feb 24, 2025

Uh oh!

stlaz commented Feb 24, 2025

Uh oh!

Rajalakshmi-Girish commented Feb 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

aramase commented Feb 24, 2025

Uh oh!

aramase commented Feb 24, 2025

Uh oh!

haircommander commented Mar 3, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

liggitt commented Mar 12, 2025

Uh oh!

k8s-ci-robot commented Mar 12, 2025

Uh oh!

k8s-ci-robot commented Oct 5, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

15 participants

aramase commented Oct 28, 2024 •

edited

Loading

stlaz commented Feb 19, 2025 •

edited

Loading

Rajalakshmi-Girish commented Feb 24, 2025 •

edited

Loading