implement ServiceAccountTokenProjection#62005
implement ServiceAccountTokenProjection#62005k8s-github-robot merged 1 commit intokubernetes:masterfrom
Conversation
|
@mikedanese: Adding do-not-merge/release-note-label-needed because the release note process has not been followed. DetailsOne of the following labels is required "release-note", "release-note-action-required", or "release-note-none". Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
5f43d74 to
06ece83
Compare
|
/assign @CaoShuFeng |
|
Currently working on testing. example config: kind: Deployment
apiVersion: apps/v1
metadata:
labels:
run: nginx
name: nginx
spec:
replicas: 30
selector:
matchLabels:
run: nginx
template:
metadata:
labels:
run: nginx
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: token
volumes:
- name: token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 60
audiences:
- hi |
|
/hold I'd like to see an agreed upon and checked in design doc here. As this also impacts our API, I'd also like to see a heads up to the API review folks to make sure they are aware of the context. A checked in design doc will also help with release notes and documentation. |
f5df59a to
c20d417
Compare
|
/lgtm |
|
/retest |
|
/milestone v1.11 |
|
@tallclair: The provided milestone is not valid for this repository. Milestones in this repository: [ Use DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
saad-ali
left a comment
There was a problem hiding this comment.
Volume changes LGTM
/lgtm
/approve
|
/retest |
tallclair
left a comment
There was a problem hiding this comment.
I think the service account admission controller needs to be updated too: https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/admission/serviceaccount/admission.go#L198
How do we prevent static pods from mounting serviceAccountTokenProjections?
pkg/kubelet/kubelet.go
Outdated
There was a problem hiding this comment.
nit: move this down to where it's used
pkg/kubelet/token/BUILD
Outdated
There was a problem hiding this comment.
Do you want to add an OWNERS file too?
pkg/kubelet/token/token_manager.go
Outdated
pkg/kubelet/token/token_manager.go
Outdated
There was a problem hiding this comment.
Yeah, better safe than sorry. I don't think static pods go through defaulting.
pkg/kubelet/token/token_manager.go
Outdated
There was a problem hiding this comment.
nit: what is iat? Use a more descriptive variable name.
There was a problem hiding this comment.
iat is a common abbreviation in oauth/jose world https://tools.ietf.org/html/rfc7519#section-4.1.6
pkg/kubelet/token/token_manager.go
Outdated
There was a problem hiding this comment.
nit: add a comment: // Require a refresh if within 20% of the TTL from the expiration time.
There was a problem hiding this comment.
nit: move division to the outer expression for finer accuracy
This hurts readability because we have to cast back and forth between (duration,int64,float64) if the accuracy gain is +- half a second, I don't think it's worth it.
There was a problem hiding this comment.
I mean -1 * time.Duration(*tr.Spec.ExpirationSeconds) * time.Second * 20 / 100, which resolves to a time.Duration. But yeah, the accuracy isn't worth the time it took me to write this comment ;-)
pkg/kubelet/token/token_manager.go
Outdated
There was a problem hiding this comment.
Is name the service account name, or pod name? In either case, should this include a UID?
There was a problem hiding this comment.
The name, namespace are of the service account. The actual TokenRequest has pod name and pod UID included in the object binding, which is validated on the apiserver. We can't include service account UID because that information is not present on the pod object.
pkg/kubelet/token/token_manager.go
Outdated
There was a problem hiding this comment.
Does this need to include expiration time? If it's encoded in the token, then I think the answer is yes. If it just controls the cache, then maybe not?
There was a problem hiding this comment.
It doesn't need an expiration time. The cache is essentially a map from TokenRequestSpec to TokenRequestStatus so an expiration timestamp is an attribute of the status.
There was a problem hiding this comment.
Er, sorry, I meant ExpirationSeconds. I.e. I'm wondering if 2 volumes with the same spec but different expirations could share a cache entry. I expect this to be a pretty unlikely scenario, so it's probably not worth changing.
There was a problem hiding this comment.
The ExpirationSeconds is in tr.Spec so the requested expiration is included in the cache key. Right now the requested expiration seconds will always be the expiration seconds, because we aren't implementing any sort of softmax. Two volume projections with the same spec should always project the same token.
There was a problem hiding this comment.
nit: use the assert/require library? require.NoError(t, err)
same below.
There was a problem hiding this comment.
optional: use k8s.io/apimachinery/pkg/util/clock.FakeClock
Added enforcement to the admission controller. |
|
/retest |
|
/test pull-kubernetes-bazel-test |
|
/assign @tallclair |
|
[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process @CaoShuFeng @awly @derekwaynecarr @liggitt @mikedanese @saad-ali @tallclair Pull Request Labels
|
pkg/kubelet/token/token_manager.go
Outdated
There was a problem hiding this comment.
I think this is growing unbounded? It should grow slowly, but you need some way of clearing out old tokens.
pkg/kubelet/token/token_manager.go
Outdated
There was a problem hiding this comment.
I mean -1 * time.Duration(*tr.Spec.ExpirationSeconds) * time.Second * 20 / 100, which resolves to a time.Duration. But yeah, the accuracy isn't worth the time it took me to write this comment ;-)
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: awly, mikedanese, saad-ali, tallclair The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
New changes are detected. LGTM label has been removed. |
|
squashed |
|
New changes are detected. LGTM label has been removed. |
|
fixed govet in test. |
|
/retest |
|
@mikedanese looks like this could use a good release note. that should be the last thing this needs to merge |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
Hello there! @mikedanese I'm Zach Arnold working on Docs for the 1.11 release. This PR was identified as one needing some documentation in the https://github.com/kubernetes/website repo around your contributions (thanks by the way!) When you have some time, could you please modify/add/remove the relevant content that needs changing in our documentation repo? Thanks! Please let me or my colleague Misty know (@zparnold/@misty on K8s Slack) if you need any assistance with the documentation. |
design here: kubernetes/community#1973
part of #61858
part of #48408
@kubernetes/sig-auth-pr-reviews @kubernetes/sig-storage-pr-reviews