Bug 1695196
Summary: | [DOCS] Document lack of audience support in 4.1 | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | David Eads <deads> |
Component: | Documentation | Assignee: | Andrew Taylor <antaylor> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | scheng |
Severity: | low | Docs Contact: | Vikram Goyal <vigoyal> |
Priority: | high | ||
Version: | 4.1.0 | CC: | aos-bugs, chuyu, jokerman, mkhan, mmccomas, nagrawal |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | 4.1.0 | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-05 13:18:50 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
David Eads
2019-04-02 16:12:24 UTC
Assigning to Christian so we can doc that SA token requests and project volumes with serviceAccountToken mount will not work in 4.1 This is not a security issue in 4.1 as: 1. There is no way to request a SA token with an audience in 4.1 2. The authenticator required to honor said token is not enabled in 4.1 3. The kubelet will error if a serviceAccountToken projected volume is used Thus, there is no risk that a token with an audience will be issued while the audience restriction is "ignored." The following statement has been verified with QA and will be included in the "known issues" section of the release notes: Requesting a `ServiceAccountTokenVolumeProjection` is not available in {product-title} 4.1. The authenticator required to honor the token is not enabled in this release, and the kubelet will present an error if a `ServiceAccountTokenVolumeProjection` is used. This has been added to the 4.1 release note tracker here (which will be merged closer to GA) : https://github.com/openshift/openshift-docs/pull/15039 Thanks, Andrew For completeness: The TokenRequest API is not available in {product-title} 4.1. Requesting a `ServiceAccountTokenVolumeProjection` volume is not available in {product-title} 4.1. The kubelet will present an error if a `ServiceAccountTokenVolumeProjection` is used. The authenticator required to honor these tokens is not enabled in this release. Excellent, thank you Mo. I've pushed updated the text verbatim. Setting this bug to verified, and will move it to release pending when it has been merged per documentation standards. These changes are now live since OCP 4.1 has GA'ed, closing this bug as current release. Thanks, Andrew |