Add limit to the TokenRequest expiration time

[WanLinghao]

What this PR does / why we need it:
A new API TokenRequest has been implemented.It improves current serviceaccount model from many ways.
This patch adds limit to TokenRequest expiration time.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #63575

Special notes for your reviewer:

Release note:

NONE

[WanLinghao]

/test pull-kubernetes-integration

[WanLinghao]

@mikedanese PTAL

[mikedanese]

I'm not sure if this is useful to configure. I would suggest leaving the command line option out until people ask for it.

[WanLinghao]

@mikedanese WDYT this time

[WanLinghao]

@mikedanese friendly ping

[mikedanese]

This doesn't need to be plumbed through if the value is static.

[mikedanese]

static validation should occur in pkg/apis/authentication/validation

[mikedanese]

can you call this service-account-token-max-expiration and give it a type of pflag.Duration:

https://godoc.org/github.com/spf13/pflag#FlagSet.Duration

[mikedanese]

I'd suggest only implementing maximum in this PR. How can we also enforce this maximum on the service account token volume projection?

[liggitt]

if you request over the max, do you get rejected or truncated to the max? if you get rejected, that means any pod spec that specifies a max is non-portable.

[WanLinghao]

From my point of view, we can simply do like other projected-volume did.
For example ,when you create a pod with following yaml file, at the same time, the secret "user" and "pass" are non-existent. The pod will stuck at ContainerCreating stage. The warning output would be like

Events:
  Type     Reason       Age               From                Message
  ----     ------       ----              ----                -------
  Normal   Scheduled    1m                default-scheduler   Successfully assigned office/test-projected-volume to 127.0.0.1
  Warning  FailedMount  44s (x8 over 1m)  kubelet, 127.0.0.1  MountVolume.SetUp failed for volume "all-in-one" : [secrets "user" not found, secrets "pass" not found]

apiVersion: v1
kind: Pod 
metadata:
  name: test-projected-volume
spec:
  containers:
  - name: alpine
    image: radial/busyboxplus:curl
    command: [ "/bin/ash", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]
    volumeMounts:
    - name: all-in-one
      mountPath: "/projected-volume"
  volumes:
  - name: all-in-one
    projected:
      sources:
      - secret:
          name: user
      - secret:
          name: pass

In other words, we don't need special process here, the api-server would refuse the TokenRequest and the pod would be stuck at ContainerCreating stage with "expiration time out of range" warning.

I'd suggest only implementing maximum in this PR. How can we also enforce this maximum on the service account token volume projection?

[WanLinghao]

@liggitt I think we can add support of percent expiration-time.
For example, a cluster starts with max-expiration time of 10 days could accept "50%" max expiration-time, which equals 5 days.
WDYT

if you request over the max, do you get rejected or truncated to the max? if you get rejected, that means any pod spec that specifies a max is non-portable.

[liggitt]

@liggitt I think we can add support of percent expiration-time.
For example, a cluster starts with max-expiration time of 10 days could accept "50%" max expiration-time, which equals 5 days.
WDYT

what are the reasons someone would request a specific validity period? requesting a percentage of an unknown period doesn't make sense to me.

[mikedanese]

I suggest we do none configurable hard validation as in #63999 and do a configurable soft validation. i.e. we should add a flag --service-account-token-max-expiration that configures the registry to truncate larger requested durations to an upper bound. I think this will be a useful flag when people start rotating these keys on a schedule. @WanLinghao @liggitt does that seem reasonable?

[WanLinghao]

@mikedanese I think for lower bound, none configurable hard validation is reasonable.
But for upper bound, configurable soft validation alone is enough. Since if we set the hard validation too low, it would restrict users. If we set it too high, it makes no difference from permanent one.

Maybe we can do like this, user can't request a token with expiration time lower than 10minutes, its hard validation and non-configurable. For upper bound, if it is configured, any larger request would be truncated into max value. If it is not configured, there's no upper bound on expiration time.

[WanLinghao]

@liggitt @mikedanese test added, PTAL

[liggitt]

if non-zero, should verify this is:

• >= the default value (1 hour)
• <= the max value (2^32 seconds)

[liggitt]

lgtm otherwise

[WanLinghao]

/test pull-kubernetes-e2e-gce

[WanLinghao]

@liggitt done PTAL

[liggitt]

typo: hour

[liggitt]

lowBound := time.Hour would be simpler

[liggitt]

upBound := time.Duration(1<<32) * time.Second would be simpler

[WanLinghao]

@liggitt Done PTAL

[liggitt]

name this maxExpirationSeconds so it's clear what the unit is

[liggitt]

..., must be between ...

[liggitt]

/approve
a couple nits, then go ahead and squash
@mikedanese has lgtm

[WanLinghao]

@mikedanese PTAL

[WanLinghao]

@mikedanese friendly ping

[mikedanese]

/lgtm

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, mikedanese, WanLinghao

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• cmd/kube-apiserver/OWNERS [liggitt,mikedanese]
• pkg/kubeapiserver/OWNERS [liggitt]
• pkg/master/OWNERS [mikedanese]
• pkg/registry/OWNERS [liggitt]
• test/OWNERS [liggitt,mikedanese]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[WanLinghao]

/retest

[WanLinghao]

/retest

[WanLinghao]

/retest

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.