Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

track legacy service account tokens #108858

Merged
merged 1 commit into from Oct 24, 2022
Merged

track legacy service account tokens #108858

merged 1 commit into from Oct 24, 2022

Conversation

zshihang
Copy link
Contributor

@zshihang zshihang commented Mar 21, 2022
edited by liggitt

What type of PR is this?

/kind feature

What this PR does / why we need it:

this PR implements https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/2799-reduction-of-secret-based-service-account-token#legacyserviceaccounttokentracking

Does this PR introduce a user-facing change?

When the alpha `LegacyServiceAccountTokenTracking` feature gate is enabled, secret-based service account tokens will have a `kubernetes.io/legacy-token-last-used` applied to them containing the date they were last used.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

-[KEP]: kubernetes/enhancements#2800

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 21, 2022
@k8s-ci-robot k8s-ci-robot added area/apiserver area/test sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. release-note-none Denotes a PR that doesn't merit a release note. labels Mar 21, 2022
@zshihang
Copy link
Contributor Author

/triage accepted
/sig auth
/priority important-soon
/cc @liggitt

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Mar 21, 2022
@zshihang zshihang force-pushed the master branch 2 times, most recently from 561e6f0 to 6d67460 Compare March 25, 2022 00:33
@zshihang
Copy link
Contributor Author

/retest

@liggitt
Copy link
Member

liggitt commented Mar 28, 2022

Unfortunately, review time for this got starved out last week by regressions and reviews of existing features making progress towards beta. Will need to bump this to 1.25 to get thorough review and have more soak time of the new controller before a release.

Can you update the enhancements issue and KEP to limit the 1.24 changes to the LegacyServiceAccountTokenNoAutoGeneration feature gate and retarget the others to 1.25?

/milestone v1.25

@k8s-ci-robot k8s-ci-robot added this to the v1.25 milestone Mar 28, 2022
@enj enj added this to Needs Triage in SIG Auth Old Mar 29, 2022
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 6, 2022
@zshihang
Copy link
Contributor Author

zshihang commented Aug 4, 2022

/test pull-kubernetes-e2e-kind-ipv6

@zshihang
Copy link
Contributor Author

zshihang commented Aug 9, 2022

@cici37 what's the deadline for exceptions? i am not sure we can have this PR merged on time.

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 23, 2022
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 3, 2022
@zshihang
Copy link
Contributor Author

@liggitt anything else we need to merge this PR? could you take another look?

liggitt
liggitt reviewed Oct 18, 2022
View reviewed changes
pkg/controlplane/controller/legacytokentracking/controller.go Outdated Show resolved Hide resolved
pkg/controlplane/controller/legacytokentracking/controller.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/authentication/token/cache/cached_token_authenticator.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/warning/context.go Outdated Show resolved Hide resolved
staging/src/k8s.io/apiserver/pkg/warning/context.go Outdated Show resolved Hide resolved
pkg/serviceaccount/legacy.go Outdated Show resolved Hide resolved
pkg/serviceaccount/legacy.go Outdated Show resolved Hide resolved
pkg/serviceaccount/legacy.go Outdated Show resolved Hide resolved
pkg/serviceaccount/legacy.go Outdated Show resolved Hide resolved
@zshihang zshihang force-pushed the master branch 3 times, most recently from 6b35b1d to e7964ba Compare October 20, 2022 22:47
@liggitt
Copy link
Member

liggitt commented Oct 24, 2022

/lgtm
/approve
/hold for green alpha e2e run

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 24, 2022
@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 24, 2022
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, zshihang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 24, 2022
@zshihang
Copy link
Contributor Author

/unhold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 24, 2022
@zshihang
Copy link
Contributor Author

/retest

@k8s-ci-robot k8s-ci-robot merged commit c5242ed into kubernetes:master Oct 24, 2022
SIG Auth Old automation moved this from In Review to Closed / Done Oct 24, 2022
@k8s-ci-robot k8s-ci-robot added this to the v1.26 milestone Oct 24, 2022
@Iceber Iceber mentioned this pull request Dec 1, 2022
Merged
@yuanchen8911 yuanchen8911 mentioned this pull request Jun 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stlaz stlaz stlaz left review comments

@liggitt liggitt liggitt left review comments

@aojea aojea aojea left review comments

@cheftako cheftako Awaiting requested review from cheftako

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/apiserver area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
SIG Auth
Archived in project
[sig-release] Bug Triage
Archived in project
SIG Auth Old
Closed / Done
Milestone
v1.26
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@zshihang @liggitt @cici37 @k8s-ci-robot @stlaz @aojea