Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update ClusterLoader2's temp KubeConfig PKI for ServiceAccount #3098

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update ClusterLoader2's temp KubeConfig PKI for ServiceAccount #3098

wants to merge 1 commit into from

Conversation

sambdavidson
Copy link

Populating a ServiceAccount's Secret with CA and JWT data is a legacy flow replaced in 1.24+ with the kube-root-ca.crt ConfigMap and token resources. Public documentation now encourages using tokens instead: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#manual-secret-management-for-serviceaccounts

What type of PR is this?

/kind bug
/kind deprecation

What this PR does / why we need it:

Which issue(s) this PR fixes:

Clusters using GKE's CPA (and many other modern clusters) no longer populate a SA's secret with CA and token information.

Special notes for your reviewer:

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. kind/bug Categorizes issue or PR as related to a bug. kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 13, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sambdavidson
Once this PR has been reviewed and has the lgtm label, please assign marseel for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Jan 13, 2025
@sambdavidson sambdavidson changed the title [WIP] Update ClusterLoader2's temp KubeConfig PKI for ServiceAccount Update ClusterLoader2's temp KubeConfig PKI for ServiceAccount Jan 14, 2025
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 14, 2025
@wojtek-t
Copy link
Member

/assign @jprzychodzen @tosi3k

@jprzychodzen
Copy link
Contributor

I'm not exactly following why we should use another way.

Per upgrade notes (I guess it strictly related to kubernetes/kubernetes#108309) we are creating a Service account, as per linked documentation https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets and https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-long-lived-api-token-for-a-serviceaccount .

Could you elaborate why it's considered legacy?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mborsz mborsz Awaiting requested review from mborsz

@wojtek-t wojtek-t Awaiting requested review from wojtek-t

Assignees

@tosi3k tosi3k

@jprzychodzen jprzychodzen

Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@sambdavidson @k8s-ci-robot @wojtek-t @jprzychodzen @tosi3k