Enable Bound Service Account Tokens #150
Conversation
openshift-ci-robot
added
the
size/L
marun
changed the title
openshift-ci-robot
added
the
do-not-merge/work-in-progress
|
|
||
| ### Goals | ||
|
|
||
| - A pod can request a bound service account token via a projected volume. |
|
|
||
| ### Non-Goals | ||
|
|
||
| - Integrate or ship the aws pod identity webhook |
There was a problem hiding this comment.
@derekwaynecarr @cuppett do we get to punt or not?
There was a problem hiding this comment.
According to the epic this is a non-goal for this team and this release.
There was a problem hiding this comment.
I was under the assumption that one of the exit criteria would be to make sure the iam setup works.. I don't think we have to ship it, but we have to verify it works with sane steps.
There was a problem hiding this comment.
This is called out in the testing section.
| in kube > 1.12. They are only configured by the apiserver if the following options are | ||
| provided: | ||
| - service-account-signing-key-file (set to private key managed by operator) | ||
| - service-account-issuer (defaults to https://kubernetes.default.svc/) |
There was a problem hiding this comment.
Should we default to something more specific/unique per cluster (thinking a derivative of the cluster ID)
There was a problem hiding this comment.
Note that the default specified here is the same as the upstream default. What would be the use case for providing something unique?
marun
changed the title
openshift-ci-robot
removed
the
do-not-merge/work-in-progress
|
|
||
| ## Summary | ||
|
|
||
| Enable the optional use of bound service account tokens via volume projection and the |
There was a problem hiding this comment.
links to the APIs would be nice.
There was a problem hiding this comment.
Done. Note that the best doc on both of these is arguably the jpweber.io link in see-also
| bound tokens. | ||
| - The keypair should be written to a secret in the `openshift-kube-apiserver` namespace | ||
| - The public key should be added to (rather than replaced in) a configmap in the | ||
| `openshift-config-managed` namespace. |
There was a problem hiding this comment.
it surprises me that there is no standard location defined by upstream.
There was a problem hiding this comment.
it surprises me that there is no standard location defined by upstream.
our operator configuration uses this standard location. Recall that the kube-apiserver doesn't read its config from in-cluster sources.
There was a problem hiding this comment.
Meant the public key. I guess the kube-apiserver is the only one verifying that, so it is the only one that has to know its location.
| `KubeAPIServerConfig.ServiceAccountPublicKeyFiles` for provision to the apiserver. | ||
| - In the event that the keypair secret is deleted, a new keypair will be generated | ||
| but tokens signed by the previous private key will continue to validate since the | ||
| corresponding public key will still be used to validate bound tokens. |
There was a problem hiding this comment.
so the openshift-config-managed configmap has multiple public key possibly? How are they named?
There was a problem hiding this comment.
Updated to reflect: sequentially, in the same manner as sa token public keys are maintained.
|
|
||
| It probably makes sense to manually verify integration with the AWS pod identity webhook, | ||
| since this is the primary motivation for this enhancement. It may make sense to delegate | ||
| this testing to those that will be deploying the webhook for customers. |
There was a problem hiding this comment.
Maybe deletion of the secret would make sense to test.
There was a problem hiding this comment.
Updated to include testing of both secret and configmap removal.
|
/approve @sttts has lgtm |
openshift-ci-robot
added
the
approved
| - Operator should set this to the path of the private key it manages | ||
| - service-account-issuer | ||
| - Operator should set this to https://kubernetes.default.svc/ | ||
| - Operator should default this to `bound-sa-token.auth.openshift.io` and it should be |
There was a problem hiding this comment.
if this is changed, which consequences does it have (especially for existing tokens) ?
There was a problem hiding this comment.
Existing tokens signed by the previous issuer will fail to validate. If long-lived tokens have been issued to pods, pod restart will be the only fix.
| - Validating that a bound token can be requested via the TokenRequest API | ||
| - Validating that a pod can request a bound token via volume projection | ||
|
|
||
| The key management proposed by this enhancement will also need to tested: |
| - Would it make sense to disable bound tokens if --service-account-issuer is not set? Or | ||
| should the feature be enabled by default with iss defaulted if not provided on initial | ||
| deployment, and it could be changed from the default subsequently if required? | ||
| - How does the kubelet respond to a change in issuer? |
There was a problem hiding this comment.
Which of the two will be implemented now?
There was a problem hiding this comment.
--service-account-issuer will be defaulted to allow the feature to come enabled out of the box.
|
@sttts Updated, PTAL |
| - Operator should set this to the path of the private key it manages | ||
| - service-account-issuer | ||
| - Operator should default this to `auth.openshift.io` and it should be possible to | ||
| override it. When it is overriden, tokens from the previous issuer will no longer |
| - Enabling bound tokens will satisfy goals #1 and #2. | ||
|
|
||
| - The apiserver operator should manage a keypair used to sign and verify bound tokens | ||
| - An rsa keypair will be used. The trust model for digital signatures (via jwt) is |
|
|
||
| ### Implementation Details/Notes/Constraints [optional] | ||
|
|
||
| Bound tokens are not currently required until bootstrap is complete, so it should be |
There was a problem hiding this comment.
cc @bergerhoffer, this needs to go into docs as a warning
There was a problem hiding this comment.
Thanks @sttts I'll make a note of this.
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, marun, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
8 participants
cc: @sttts @stlaz @deads2k