cloud-platform icon indicating copy to clipboard operation
cloud-platform copied to clipboard

Published 20 hours ago verified publisher icon ministryofjustice

Investigation: Default Service Accounts

Open sj-williams opened this issue 10 months ago • 4 comments

Background

Namespaces which were created before k8s 1.24 likely still have legacy default service accounts with legacy token secrets. For example abundant-namespace-dev:

Active namespace is "abundant-namespace-dev".
❯ k get sa
NAME                                 SECRETS   AGE

default                               1                 2y273d

We need to find out:

  • Are these default service account tokens triggering warnings in users deployments?
  • If we delete the default service account, what is the impact (if any) on pods that use the default service account (these are any pods that do not specify their own SA)
  • If we delete an old namespace default service account, will it immediately refresh with a non legacy token setup?

Test the above scenarios in abundant.

Proposed user journey

Approach

Which part of the user docs does this impact

Communicate changes

  • [ ] post for #cloud-platform-update
  • [ ] Weeknotes item
  • [ ] Show the Thing/P&A All Hands/User CoP
  • [ ] Announcements channel

Questions / Assumptions

Definition of done

  • [ ] readme has been updated
  • [ ] user docs have been updated
  • [ ] another team member has reviewed
  • [ ] smoke tests are green
  • [ ] prepare demo for the team

Reference

How to write good user stories

sj-williams avatar Mar 28 '24 17:03 sj-williams