From 9a66bfa1e6cb840e9603da760f6fdc2b9ea5244f Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Mon, 27 Jun 2022 11:58:08 -0400 Subject: [PATCH] =?UTF-8?q?BZ-2093995Remove=20Using=20a=20service=20accoun?= =?UTF-8?q?t=E2=80=99s=20credentials=20externally?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit edits per EricPonvelle --- authentication/index.adoc | 2 +- ...sing-service-accounts-in-applications.adoc | 9 ++- modules/nodes-pods-secrets-about.adoc | 4 + modules/service-accounts-creating.adoc | 20 ++--- modules/service-accounts-default.adoc | 4 + ...accounts-using-credentials-externally.adoc | 78 ------------------- nodes/pods/nodes-pods-secrets.adoc | 8 ++ .../service-account-auto-secret-removed.adoc | 17 ++++ 8 files changed, 50 insertions(+), 92 deletions(-) delete mode 100644 modules/service-accounts-using-credentials-externally.adoc create mode 100644 snippets/service-account-auto-secret-removed.adoc diff --git a/authentication/index.adoc b/authentication/index.adoc index 8ad807655efc..a7817924d2ce 100644 --- a/authentication/index.adoc +++ b/authentication/index.adoc @@ -56,6 +56,6 @@ You can manage authorization for {product-title} through the following tasks: ==== After creating the cluster admin user, xref:../authentication/remove-kubeadmin.adoc#removing-kubeadmin_removing-kubeadmin[delete the existing kubeadmin user] to improve cluster security. ==== -* Creating service accounts: xref:../authentication/understanding-and-creating-service-accounts.adoc#service-accounts-overview_understanding-service-accounts[Service accounts] provide a flexible way to control API access without sharing a regular user’s credentials. A user can xref:../authentication/understanding-and-creating-service-accounts.adoc#service-accounts-managing_understanding-service-accounts[create] and xref:../authentication/using-service-accounts-in-applications.adoc#service-accounts-using-credentials-externally_using-service-accounts[use a service account in applications] and also as xref:../authentication/using-service-accounts-as-oauth-client.adoc#using-service-accounts-as-oauth-client[an OAuth client]. +* Creating service accounts: xref:../authentication/understanding-and-creating-service-accounts.adoc#service-accounts-overview_understanding-service-accounts[Service accounts] provide a flexible way to control API access without sharing a regular user’s credentials. A user can xref:../authentication/understanding-and-creating-service-accounts.adoc#service-accounts-managing_understanding-service-accounts[create and use a service account in applications] and also as xref:../authentication/using-service-accounts-as-oauth-client.adoc#using-service-accounts-as-oauth-client[an OAuth client]. * xref:../authentication/tokens-scoping.adoc#tokens-scoping[Scoping tokens]: A scoped token is a token that identifies as a specific user who can perform only specific operations. You can create scoped tokens to delegate some of your permissions to another user or a service account. * Syncing LDAP groups: You can manage user groups in one place by xref:../authentication/ldap-syncing.adoc#ldap-syncing[syncing the groups stored in an LDAP server] with the {product-title} user groups. diff --git a/authentication/using-service-accounts-in-applications.adoc b/authentication/using-service-accounts-in-applications.adoc index 4b7047563bad..ff05583c1e93 100644 --- a/authentication/using-service-accounts-in-applications.adoc +++ b/authentication/using-service-accounts-in-applications.adoc @@ -10,8 +10,15 @@ include::modules/service-accounts-overview.adoc[leveloffset=+1] include::modules/service-accounts-default.adoc[leveloffset=+1] +// remove these links for 4.12+ + +.Additional resources + +* For information about requesting bound service account tokens, see xref:../authentication/bound-service-account-tokens.html#bound-sa-tokens-configuring_bound-service-account-tokens[Configuring bound service account tokens using volume projection] + +* For information about creating a service account token secret, see see xref:../nodes/pods/nodes-pods-secrets.html#nodes-pods-secrets-creating-sa_nodes-pods-secrets[Creating a service account token secret]. + include::modules/service-accounts-creating.adoc[leveloffset=+1] // include::modules/service-accounts-using-credentials-inside-a-container.adoc[leveloffset=+1] -include::modules/service-accounts-using-credentials-externally.adoc[leveloffset=+1] diff --git a/modules/nodes-pods-secrets-about.adoc b/modules/nodes-pods-secrets-about.adoc index 3c35d5278e4b..91b0c595efac 100644 --- a/modules/nodes-pods-secrets-about.adoc +++ b/modules/nodes-pods-secrets-about.adoc @@ -84,3 +84,7 @@ For examples of different secret types, see the code samples in _Using Secrets_. == Secret data keys Secret keys must be in a DNS subdomain. + +// remove this snippet for 4.12+ + +include::snippets/service-account-auto-secret-removed.adoc[] diff --git a/modules/service-accounts-creating.adoc b/modules/service-accounts-creating.adoc index 6389944a0ccb..3cee25dfab84 100644 --- a/modules/service-accounts-creating.adoc +++ b/modules/service-accounts-creating.adoc @@ -65,16 +65,12 @@ $ oc describe sa robot .Example output [source,terminal] ---- -Name: robot -Namespace: project1 -Labels: -Annotations: - -Image pull secrets: robot-dockercfg-qzbhb - -Mountable secrets: robot-token-f4khf - robot-dockercfg-qzbhb - -Tokens: robot-token-f4khf - robot-token-z8h44 +Name: robot +Namespace: project1 +Labels: +Annotations: +Image pull secrets: robot-dockercfg-qzbhb +Mountable secrets: robot-dockercfg-qzbhb +Tokens: robot-token-f4khf +Events: ---- diff --git a/modules/service-accounts-default.adoc b/modules/service-accounts-default.adoc index d4ca2b17c47c..7967014aed5f 100644 --- a/modules/service-accounts-default.adoc +++ b/modules/service-accounts-default.adoc @@ -71,3 +71,7 @@ viewing and modifying replication controllers and pods in the project. All service accounts in a project are given the `system:image-puller` role, which allows pulling images from any imagestream in the project using the internal container image registry. + +// remove this snippet for 4.12+ + +include::snippets/service-account-auto-secret-removed.adoc[] diff --git a/modules/service-accounts-using-credentials-externally.adoc b/modules/service-accounts-using-credentials-externally.adoc deleted file mode 100644 index db8fdf993367..000000000000 --- a/modules/service-accounts-using-credentials-externally.adoc +++ /dev/null @@ -1,78 +0,0 @@ -// Module included in the following assemblies: -// -// * authentication/using-service-accounts.adoc - -:_content-type: PROCEDURE -[id="service-accounts-using-credentials-externally_{context}"] -= Using a service account's credentials externally - -You can distribute a service account's token to external applications that must -authenticate to the API. - -To pull an image, the authenticated user must have `get` rights on the -requested `imagestreams/layers`. To push an image, the authenticated -user must have `update` rights on the requested `imagestreams/layers`. - -By default, all service accounts in a project have rights to pull any image in -the same project, and the *builder* service account has rights to push any image -in the same project. - -.Procedure - -. View the service account's API token: -+ -[source,terminal] ----- -$ oc describe secret ----- -+ -For example: -+ -[source,terminal] ----- -$ oc describe secret robot-token-uzkbh -n top-secret ----- -+ -.Example output -[source,terminal] ----- -Name: robot-token-uzkbh -Labels: -Annotations: kubernetes.io/service-account.name=robot,kubernetes.io/service-account.uid=49f19e2e-16c6-11e5-afdc-3c970e4b7ffe - -Type: kubernetes.io/service-account-token - -Data - -token: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... ----- - -. Log in using the token that you obtained: -+ -[source,terminal] ----- -$ oc login --token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... ----- -+ -.Example output -[source,terminal] ----- -Logged into "https://server:8443" as "system:serviceaccount:top-secret:robot" using the token provided. - -You don't have any projects. You can try to create a new project, by running - - $ oc new-project ----- - -. Confirm that you logged in as the service account: -+ -[source,terminal] ----- -$ oc whoami ----- -+ -.Example output -[source,terminal] ----- -system:serviceaccount:top-secret:robot ----- diff --git a/nodes/pods/nodes-pods-secrets.adoc b/nodes/pods/nodes-pods-secrets.adoc index d4920e11fbc8..2dc17e5b8f7e 100644 --- a/nodes/pods/nodes-pods-secrets.adoc +++ b/nodes/pods/nodes-pods-secrets.adoc @@ -17,6 +17,14 @@ As an administrator, you can use `Secret` objects to provide this information wi include::modules/nodes-pods-secrets-about.adoc[leveloffset=+1] +// remove these links for 4.12+ + +.Additional resources + +* For information about requesting bound service account tokens, see xref:../../authentication/bound-service-account-tokens.html#bound-sa-tokens-configuring_bound-service-account-tokens[Using bound service account tokens] + +* For information about creating a service account token secret, see xref:../../nodes/pods/nodes-pods-secrets.html#nodes-pods-secrets-creating-sa_nodes-pods-secrets[Creating a service account token secret]. + include::modules/nodes-pods-secrets-creating.adoc[leveloffset=+1] include::modules/nodes-pods-secrets-creating-opaque.adoc[leveloffset=+2] diff --git a/snippets/service-account-auto-secret-removed.adoc b/snippets/service-account-auto-secret-removed.adoc new file mode 100644 index 000000000000..6c78d2b1b157 --- /dev/null +++ b/snippets/service-account-auto-secret-removed.adoc @@ -0,0 +1,17 @@ +// When including this file, ensure that {FeatureName} is set immediately before +// the include. Otherwise it will result in an incorrect replacement. + +[id="auto-generated-sa-token-secrets_{context}"] +== About automatically-generated service account token secrets + +In {product-version}, {product-title} is adopting an link:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes-1[enhancement from upstream Kubernetes], which enables the `LegacyServiceAccountTokenNoAutoGeneration` feature by default. As a result, when creating new serivce accounts (SA), a service account token secret is no longer automatically generated. Previously, {product-title} automatically added a service account token to a secret for each new SA. + +However, some features and workloads need service account token secrets to communicate with the Kubernetes API server, for example, the OpenShift Controller Manager. While this requirement will be changed in a future release, it remains in {product-title} {product-version}. As a result, if you need a service account token secret, you must manually use the TokenRequest API to request bound service account tokens or create a service account token secret. + +After upgrading to {product-version}, existing service account token secrets are not deleted and continue to function as expected. + +[NOTE] +==== +In {product-version}, service account token secrets still appear to have been automatically generated. Although, instead creating two secrets per service account, {product-title} now creates one token, which does not work. In a future release, the number will be further reduced to zero. Note that `dockercfg` secrets are still generated and no secrets are deleted during upgrades. +==== +