Bug 1695196

Summary: [DOCS] Document lack of audience support in 4.1
Product: OpenShift Container Platform Reporter: David Eads <deads>
Component: DocumentationAssignee: Andrew Taylor <antaylor>
Status: CLOSED CURRENTRELEASE QA Contact: scheng
Severity: low Docs Contact: Vikram Goyal <vigoyal>
Priority: high    
Version: 4.1.0CC: aos-bugs, chuyu, jokerman, mkhan, mmccomas, nagrawal
Target Milestone: ---Keywords: Reopened
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-05 13:18:50 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description David Eads 2019-04-02 16:12:24 UTC
As I understand audiences, I can request a token that has a specific audience, but if the kube-apiserver isn't configured to honor audiences, that token would still be valid for the KAS even if I specified a different audience and the is unexpected.

Comment 2 Mo 2019-04-04 20:04:53 UTC
Assigning to Christian so we can doc that SA token requests and project volumes with serviceAccountToken mount will not work in 4.1

This is not a security issue in 4.1 as:

1. There is no way to request a SA token with an audience in 4.1
2. The authenticator required to honor said token is not enabled in 4.1
3. The kubelet will error if a serviceAccountToken projected volume is used

Thus, there is no risk that a token with an audience will be issued while the audience restriction is "ignored."

Comment 7 Andrew Taylor 2019-05-29 18:04:33 UTC
The following statement has been verified with QA and will be included in the "known issues" section of the release notes: 

Requesting a `ServiceAccountTokenVolumeProjection` is not available in {product-title} 4.1. The
authenticator required to honor the token is not enabled in this release, and
the kubelet will present an error if a `ServiceAccountTokenVolumeProjection` is used. 

This has been added to the 4.1 release note tracker here (which will be merged closer to GA) :


Comment 8 Mo 2019-05-29 18:32:49 UTC
For completeness:

The TokenRequest API is not available in {product-title} 4.1.

Requesting a `ServiceAccountTokenVolumeProjection` volume is not available in {product-title} 4.1.
The kubelet will present an error if a `ServiceAccountTokenVolumeProjection` is used. 

The authenticator required to honor these tokens is not enabled in this release.

Comment 9 Andrew Taylor 2019-05-29 19:42:33 UTC
Excellent, thank you Mo. I've pushed updated the text verbatim.

Setting this bug to verified, and will move it to release pending when it has been merged per documentation standards.

Comment 10 Andrew Taylor 2019-06-05 13:18:50 UTC
These changes are now live since OCP 4.1 has GA'ed, closing this bug as current release.