Skip to content

WIP Enable configuration of bound service account tokens #24416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
marun wants to merge 2 commits into from
Closed

WIP Enable configuration of bound service account tokens #24416

marun wants to merge 2 commits into from

Conversation

@marun
Copy link
Contributor

@marun marun commented Jan 18, 2020
edited
Loading

NOTE This PR is not mergeable until openshift/api#569 merges.

Implements operand support for openshift/enhancements#150.

@openshift-ci-robot openshift-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jan 18, 2020
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 18, 2020

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: marun
To complete the pull request process, please assign tbielawa
You can assign the PR to them by writing /assign @tbielawa in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci-robot openshift-ci-robot added the vendor-update Touching vendor dir or related files label Jan 18, 2020
@marun marun mentioned this pull request Jan 18, 2020
Merged
5 tasks
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 18, 2020

@marun: The following tests failed, say /retest to rerun all failed tests:

Test name Commit Details Rerun command
ci/prow/e2e-gcp 9a1ac44 link /test e2e-gcp
ci/prow/e2e-cmd 9a1ac44 link /test e2e-cmd
ci/prow/e2e-gcp-upgrade 9a1ac44 link /test e2e-gcp-upgrade

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

sttts
sttts reviewed Jan 20, 2020
View reviewed changes
vendor/k8s.io/kubernetes/openshift-kube-apiserver/openshiftkubeapiserver/flags.go
// request-timeout
// runtime-config
// service-account-api-audiences
// service-account-issuer
Copy link
Contributor

@sttts sttts Jan 20, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this commit needs a proper UPSTREAM: <carry>: ... commit msg.

Copy link
Contributor

@sttts sttts Jan 20, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm otherwise.

@stlaz
Copy link
Contributor

stlaz commented Jan 20, 2020

You need to add validation for the ServiceAccountIssuer field to vendor/k8s.io/kubernetes/openshift-kube-apiserver/admission/customresourcevalidation/authentication/validate_authentication.go so that user config does not make the KAS pods crashloop

origin/vendor/k8s.io/kubernetes/pkg/kubeapiserver/options/authentication.go

Lines 173 to 175 in 0292713

if s.ServiceAccounts != nil && len(s.ServiceAccounts.Issuer) > 0 && strings.Contains(s.ServiceAccounts.Issuer, ":") {
if _, err := url.Parse(s.ServiceAccounts.Issuer); err != nil {
allErrors = append(allErrors, fmt.Errorf("service-account-issuer contained a ':' but was not a valid URL: %v", err))

@marun
Copy link
Contributor Author

marun commented Jan 21, 2020

Since the bound token flags are already exposed by the apiserver, this PR is not necessary.

@marun marun closed this Jan 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deads2k deads2k Awaiting requested review from deads2k

@smarterclayton smarterclayton Awaiting requested review from smarterclayton

1 more reviewer

@sttts sttts sttts left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. vendor-update Touching vendor dir or related files

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@marun @openshift-ci-robot @stlaz @sttts