k8ssandra-operator icon indicating copy to clipboard operation
k8ssandra-operator copied to clipboard
verified publisher icon k8ssandra

K8SSAND-1803 ⁃ Switch to TokenRequest API for ServiceAccount tokens

Open olim7t opened this issue 3 years ago • 1 comments

Currently we use a non-expiring token (at first auto-generated, and then explicitly declared when we moved to k8s 1.24 in #681).

The documentation recommends switching to TokenRequest instead:

Tokens obtained from the TokenRequest API are more secure than ones stored in Secret objects, because they have a bounded lifetime and are not readable by other API clients. You can use the kubectl create token command to obtain a token from the TokenRequest API.

You should only create a service account token Secret object if you can't use the TokenRequest API to obtain a token, and the security exposure of persisting a non-expiring token credential in a readable API object is acceptable to you.

We should investigate if and how that API can be used from our controller code.

┆Issue is synchronized with this Jira Story by Unito

olim7t avatar Sep 23 '22 22:09 olim7t

1.22 minimum.

burmanm avatar Sep 26 '22 14:09 burmanm