BZ-2093995Remove Using a service account’s credentials externally

edits per EricPonvelle
openshift · Aug 1, 2022 · 9a66bfa · 9a66bfa
1 parent ca4a849
commit 9a66bfa
Show file tree

Hide file tree

Showing 8 changed files with 50 additions and 92 deletions.
diff --git a/authentication/index.adoc b/authentication/index.adoc
@@ -56,6 +56,6 @@ You can manage authorization for {product-title} through the following tasks:
 ====
 After creating the cluster admin user, xref:../authentication/remove-kubeadmin.adoc#removing-kubeadmin_removing-kubeadmin[delete the existing kubeadmin user] to improve cluster security.
 ====
-* Creating service accounts: xref:../authentication/understanding-and-creating-service-accounts.adoc#service-accounts-overview_understanding-service-accounts[Service accounts] provide a flexible way to control API access without sharing a regular user’s credentials. A user can xref:../authentication/understanding-and-creating-service-accounts.adoc#service-accounts-managing_understanding-service-accounts[create] and xref:../authentication/using-service-accounts-in-applications.adoc#service-accounts-using-credentials-externally_using-service-accounts[use a service account in applications] and also as xref:../authentication/using-service-accounts-as-oauth-client.adoc#using-service-accounts-as-oauth-client[an OAuth client].
+* Creating service accounts: xref:../authentication/understanding-and-creating-service-accounts.adoc#service-accounts-overview_understanding-service-accounts[Service accounts] provide a flexible way to control API access without sharing a regular user’s credentials. A user can xref:../authentication/understanding-and-creating-service-accounts.adoc#service-accounts-managing_understanding-service-accounts[create and use a service account in applications] and also as xref:../authentication/using-service-accounts-as-oauth-client.adoc#using-service-accounts-as-oauth-client[an OAuth client].
 * xref:../authentication/tokens-scoping.adoc#tokens-scoping[Scoping tokens]: A scoped token is a token that identifies as a specific user who can perform only specific operations. You can create scoped tokens to delegate some of your permissions to another user or a service account.
 * Syncing LDAP groups: You can manage user groups in one place by xref:../authentication/ldap-syncing.adoc#ldap-syncing[syncing the groups stored in an LDAP server] with the {product-title} user groups.
diff --git a/authentication/using-service-accounts-in-applications.adoc b/authentication/using-service-accounts-in-applications.adoc
@@ -10,8 +10,15 @@ include::modules/service-accounts-overview.adoc[leveloffset=+1]
 
 include::modules/service-accounts-default.adoc[leveloffset=+1]
 
+// remove these links for 4.12+
+
+.Additional resources
+
+* For information about requesting bound service account tokens, see xref:../authentication/bound-service-account-tokens.html#bound-sa-tokens-configuring_bound-service-account-tokens[Configuring bound service account tokens using volume projection]
+
+* For information about creating a service account token secret, see see xref:../nodes/pods/nodes-pods-secrets.html#nodes-pods-secrets-creating-sa_nodes-pods-secrets[Creating a service account token secret].
+
 include::modules/service-accounts-creating.adoc[leveloffset=+1]
 
 // include::modules/service-accounts-using-credentials-inside-a-container.adoc[leveloffset=+1]
 
-include::modules/service-accounts-using-credentials-externally.adoc[leveloffset=+1]
diff --git a/modules/nodes-pods-secrets-about.adoc b/modules/nodes-pods-secrets-about.adoc
@@ -84,3 +84,7 @@ For examples of different secret types, see the code samples in _Using Secrets_.
 == Secret data keys
 
 Secret keys must be in a DNS subdomain.
+
+// remove this snippet for 4.12+
+
+include::snippets/service-account-auto-secret-removed.adoc[]
diff --git a/modules/service-accounts-creating.adoc b/modules/service-accounts-creating.adoc
@@ -65,16 +65,12 @@ $ oc describe sa robot
 .Example output
 [source,terminal]
 ----
-Name:		robot
-Namespace:	project1
-Labels:		<none>
-Annotations:	<none>
-
-Image pull secrets:	robot-dockercfg-qzbhb
-
-Mountable secrets: 	robot-token-f4khf
-                   	robot-dockercfg-qzbhb
-
-Tokens:            	robot-token-f4khf
-                   	robot-token-z8h44
+Name:                robot
+Namespace:           project1
+Labels:	             <none>
+Annotations:	     <none>
+Image pull secrets:  robot-dockercfg-qzbhb
+Mountable secrets:   robot-dockercfg-qzbhb
+Tokens:              robot-token-f4khf
+Events:              <none>
 ----
diff --git a/modules/service-accounts-default.adoc b/modules/service-accounts-default.adoc
@@ -71,3 +71,7 @@ viewing and modifying replication controllers and pods in the project.
 All service accounts in a project are given the `system:image-puller` role,
 which allows pulling images from any imagestream in the project using the
 internal container image registry.
+
+// remove this snippet for 4.12+
+
+include::snippets/service-account-auto-secret-removed.adoc[]
diff --git a/modules/service-accounts-using-credentials-externally.adoc b/modules/service-accounts-using-credentials-externally.adoc
diff --git a/nodes/pods/nodes-pods-secrets.adoc b/nodes/pods/nodes-pods-secrets.adoc
@@ -17,6 +17,14 @@ As an administrator, you can use `Secret` objects to provide this information wi
 
 include::modules/nodes-pods-secrets-about.adoc[leveloffset=+1]
 
+// remove these links for 4.12+
+
+.Additional resources
+
+* For information about requesting bound service account tokens, see xref:../../authentication/bound-service-account-tokens.html#bound-sa-tokens-configuring_bound-service-account-tokens[Using bound service account tokens]
+
+* For information about creating a service account token secret, see xref:../../nodes/pods/nodes-pods-secrets.html#nodes-pods-secrets-creating-sa_nodes-pods-secrets[Creating a service account token secret].
+
 include::modules/nodes-pods-secrets-creating.adoc[leveloffset=+1]
 
 include::modules/nodes-pods-secrets-creating-opaque.adoc[leveloffset=+2]

diff --git a/snippets/service-account-auto-secret-removed.adoc b/snippets/service-account-auto-secret-removed.adoc
@@ -0,0 +1,17 @@
+// When including this file, ensure that {FeatureName} is set immediately before
+// the include. Otherwise it will result in an incorrect replacement.
+
+[id="auto-generated-sa-token-secrets_{context}"]
+== About automatically-generated service account token secrets
+
+In {product-version}, {product-title} is adopting an link:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes-1[enhancement from upstream Kubernetes], which enables the `LegacyServiceAccountTokenNoAutoGeneration` feature by default. As a result, when creating new serivce accounts (SA), a service account token secret is no longer automatically generated. Previously, {product-title} automatically added a service account token to a secret for each new SA. 
+
+However, some features and workloads need service account token secrets to communicate with the Kubernetes API server, for example, the OpenShift Controller Manager. While this requirement will be changed in a future release, it remains in {product-title} {product-version}. As a result, if you need a service account token secret, you must manually use the TokenRequest API to request bound service account tokens or create a service account token secret. 
+
+After upgrading to {product-version}, existing service account token secrets are not deleted and continue to function as expected.
+
+[NOTE]
+====
+In {product-version}, service account token secrets still appear to have been automatically generated. Although, instead creating two secrets per service account, {product-title} now creates one token, which does not work. In a future release, the number will be further reduced to zero. Note that `dockercfg` secrets are still generated and no secrets are deleted during upgrades.
+====
+