Reduction of Secret-based Service Account Tokens

[zshihang]

Enhancement Description

• One-line enhancement description: reduce secret-based service account tokens
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2799-reduction-of-secret-based-service-account-token
• Discussion Link: sig-auth
• Primary contact (assignee): @zshihang
• Responsible SIGs: sig-auth
• Enhancement target (which target equals to which milestone):
  • LegacyServiceAccountTokenNoAutoGeneration feature gate
    • Beta release target (x.y): 1.24
    • Stable release target (x.y): 1.26
  • LegacyServiceAccountTokenTracking feature gate
    • Alpha release target (x.y): 1.26
    • Beta release target (x.y): 1.27
    • Stable release target (x.y): 1.28
  • LegacyServiceAccountTokenCleanUp feature gate
    • Alpha release target (x.y): 1.27
    • Beta release target (x.y): 1.28
    • Stable release target (x.y): 1.29
• [x] 1.24
  • [x] KEP (k/enhancements) update PR(s):
    • [x] https://github.com/kubernetes/enhancements/pull/2800
  • [x] Code (k/k) update PR(s):
    • [x] LegacyServiceAccountTokenNoAutoGeneration - https://github.com/kubernetes/kubernetes/pull/108309
  • [x] Docs (k/website) update PR(s):
    • [x] https://github.com/kubernetes/website/pull/31845
    • [x] https://github.com/kubernetes/website/pull/31894
    • [x] https://github.com/kubernetes/website/pull/32339
• [x] 1.25
  • [x] KEP (k/enhancements) update PR(s):
    • https://github.com/kubernetes/enhancements/pull/3393
• [x] 1.26
  • [x] KEP (k/enhancements) update PR(s):
    • [x] https://github.com/kubernetes/enhancements/pull/3536
  • [x] Code (k/k) update PR(s):
    • [x] LegacyServiceAccountTokenNoAutoGeneration
      • https://github.com/kubernetes/kubernetes/pull/112838
    • [x] LegacyServiceAccountTokenTracking
      • https://github.com/kubernetes/kubernetes/pull/108858
  • [x] Docs (k/website) update(s):
    • [x] https://github.com/kubernetes/website/pull/37483
• [ ] 1.27
  • [x] KEP (k/enhancements) update PR(s):
    • [x] https://github.com/kubernetes/enhancements/pull/3696
  • [ ] Code (k/k) update PR(s):
    • [x] LegacyServiceAccountTokenNoAutoGeneration
      • https://github.com/kubernetes/kubernetes/pull/114522
    • [x] LegacyServiceAccountTokenTracking
      • https://github.com/kubernetes/kubernetes/pull/114523
    • [ ] LegacyServiceAccountTokenCleanUp
      • TBD
  • [ ] Docs (k/website) update(s):
    • [ ] TBD

[zshihang]

/sig auth

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[enj]

/remove-lifecycle stale /lifecycle frozen

[gracenng]

Hi @zshihang , 1.24 Enhancements Lead here. Will this enhancement (both features) be in alpha for 1.24? Thanks

[zshihang]

LegacyServiceAccountTokenNoAutoGeneration would be beta in 1.24; LegacyServiceAccountTokenTracking and LegacyServiceAccountTokenCleanUp would be alpha in 1.24.

[gracenng]

Cross posted in PR Hi @zshihang ! 1.24 Enhancements team here. Just checking in as we approach enhancements freeze on 18:00pm PT on Thursday Feb 3rd. I'll mark this as beta while awaiting your confirmation Here’s where this enhancement currently stands:

• [ ] Updated KEP file using the latest template has been merged into the k/enhancements repo #2800
• [x] KEP status is marked as implementable for this release with latest-milestone: 1.24
• [x] KEP has a test plan section filled out.
• [x] KEP has up to date graduation criteria.
• [x] KEP has a production readiness review that has been completed and merged into k/enhancements.

The status of this enhancement is track as at risk. @zshihang, you replied "done" in the PR but it has not been merged. Did I miss something? Thanks!

[liggitt]

@gracenng the linked PR has now merged. can you confirm this is in good shape for enhancements freeze?

[gracenng]

Thanks for the ping @liggitt . Updated status to tracked, all good for enhancements freeze

[chrisnegus]

Hi @zshihang 👋 1.24 Docs shadow here.

This enhancement is marked as 'Needs Docs' for the 1.24 release.

Please follow the steps detailed in the documentation to open a PR against the dev-1.24 branch in the k/website repo. This PR can be just a placeholder at this time and must be created before Thu March 31, 11:59 PM PDT.

Also, if needed take a look at Documenting for a release to familiarize yourself with the docs requirement for the release.

Thanks!

[gracenng]

Hi @zshihang 1.24 Enhancements Team here,

With Code Freeze approaching on 18:00 PDT Tuesday March 29th 2022, the enhancement status is at risk as there is no linked k/k PR. Kindly list them in this issue. Thanks!

[liggitt]

updated description with code and docs PRs

[chrisnegus]

@liggitt Thanks for adding links to the docs PRs. Is that all the documentation required for this KEP in 1.24?

[liggitt]

the unchecked items represent work yet to be done

[katcosgrove]

Hey y'all! We're approaching last call for feature blogs, as the freeze is Wednesday, March 23. If you would like to have a feature blog for this, please add it to the tracking sheet and reach out to me if you have any questions. Thank you!

[gracenng]

Hey @liggitt , with Code Freeze coming in a few days. Will the portions marked TBD be added as part of this feature?

[liggitt]

Unclear, fixing other regressions in the project and other reviews have consumed a lot of the bandwidth the past couple weeks. If nothing else merges for 1.24, the already merged piece is good to go standalone and we'll shift the other bits to 1.25. Will update Monday.

[gracenng]

Hi @liggitt , is it safe to assume that the TBD pieces are not coming and this feature is good for Code Freeze?

[liggitt]

Yes

[liggitt]

updated description

[chrisnegus]

Hi @liggitt ! I see that the LegacyServiceAccountTokenNoAutoGeneration feature is still listed as needing documentation for 1.24. If that is still true, could you open a placeholder PR against the docs before tomorrow's deadline? Thanks so much!

[chrisnegus]

@zshihang Thanks for opening the docs placeholder PR!

[chrisnegus]

According to PR #32654, documentation has for this KEP has been done in PR #32339 and merged.

[sftim]

I've raised a bug because I don't think the documentation is done.

[jasonbraganza]

Hello @zshihang 👋, 1.25 Enhancements team here.

Just checking in as we approach enhancements freeze on 18:00 PST on Thursday June 16, 2022.

Q: Would you kindly help me understand, what stage does the KEP target in the 1.25 release cycle? Is it staying in beta or targeting stable?

Here's where this enhancement currently stands:

• [ ] KEP file using the latest template has been merged into the k/enhancements repo.
• [X] KEP status is marked as implementable
• [ ] KEP has a updated detailed test plan section filled out
• [X] KEP has up to date graduation criteria
• [X] KEP has a production readiness review that has been completed and merged into k/enhancements.

Looks like for this one, we would need to update the following:

• Update the kep.yaml file to reflect the latest target stage and milestone information
• Please update the Test plan section, so that it incorporates the updated detailed test plan section requirements

For note, the status of this enhancement is marked as at risk. Please keep the issue description up-to-date with appropriate stages as well. Thank you!

[jasonbraganza]

Hello @zshihang 👋, just a quick check-in again, as we approach the 1.25 enhancements freeze.

Please plan to get the above pending items, done before enhancements freeze on Thursday, June 16, 2022 at 18:00 PM PT.

For note, the current status of the enhancement is atat-risk. Thank you!

[liggitt]

Q: Would you kindly help me understand, what stage does the KEP target in the 1.25 release cycle? Is it staying in beta or targeting stable?

LegacyServiceAccountTokenNoAutoGeneration remains in beta in 1.25.

LegacyServiceAccountTokenTracking and LegacyServiceAccountTokenCleanUp feature gates are in alpha for 1.25.

[liggitt]

Here's where this enhancement currently stands:

• [ ] KEP file using the latest template has been merged into the k/enhancements repo.

Included in https://github.com/kubernetes/enhancements/pull/3393

• [x] KEP status is marked as implementable
• [ ] KEP has a updated detailed test plan section filled out

Included in https://github.com/kubernetes/enhancements/pull/3393

• [ ] KEP has up to date graduation criteria

This is complete

• [ ] KEP has a production readiness review that has been completed and merged into k/enhancements.

This is complete

[jasonbraganza]

Thank you, for the updates @liggitt.

I’ll go ahead and track this enhancement, as targeting beta as mentionend in the kep.yaml file in the open PR https://github.com/kubernetes/enhancements/pull/3393

[liggitt]

https://github.com/kubernetes/enhancements/pull/3393 is now merged

[Priyankasaggu11929]

Thanks so much for the update, @liggitt! 🙂

I'll update the status to tracked in the Enhancements tracking sheet.