Bug 1813894
| Summary: | stop adding service-ca to token secret in 4.6 | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | David Eads <deads> | |
| Component: | kube-apiserver | Assignee: | Maru Newby <mnewby> | |
| Status: | CLOSED DEFERRED | QA Contact: | scheng | |
| Severity: | high | Docs Contact: | ||
| Priority: | high | |||
| Version: | 4.5 | CC: | aos-bugs, mfojtik, pruan, sttts, tflannag, xxia | |
| Target Milestone: | --- | Keywords: | UpcomingSprint | |
| Target Release: | 4.6.0 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Removed functionality | ||
| Doc Text: |
The service-serving CA is no longer available in pods at /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt. This file has been deprecated since 4.1.
Pods that currently consume the service-serving CA bundle from /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt must migrate to obtaining the CA bundle from a configMap annotated with service.beta.openshift.io/inject-cabundle=true.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1843949 (view as bug list) | Environment: | ||
| Last Closed: | 2020-07-31 16:38:41 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
|
Description
David Eads
2020-03-16 12:41:09 UTC
Corrected commit targeted for removal: https://github.com/openshift/kubernetes/commit/46562f3b5e34287b6ef79b92e54d9bee78ab735d Initial deprecation notice: https://github.com/openshift/openshift-docs/blob/enterprise-4.1/release_notes/ocp-4-1-release-notes.adoc#service-ca-bundle-changes *** Bug 1813892 has been marked as a duplicate of this bug. *** PR to remove the code has been posted, and its merge should be deferred until 4.6: https://github.com/openshift/origin/pull/24393 Still waiting on the updates to the following operators: - openshift/cluster-kube-controller-manager-operator (submitted but blocked by persistent and unrelated test flake) - openshift/cluster-samples-operator (coordinating with maintainers of jboss-container-images to get required upstream changes merged) The cluster-samples-operator fix is still in-progress, but testing the change is now possible. The change can be tested by creating a pod in a 4.5 cluster and verifying the absence of the service serving CA in the pod filesystem: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt The openshift/library PR has merged: https://github.com/openshift/library/pull/219 Tomorrow (June 3rd), once a nightly job has made the necessary updates to the branch, cluster-samples-operator will be able to vendor the change. This vendoring change will need to merge to master and then backported to 4.5. The change can be tested by creating a pod in a 4.5 cluster and verifying the absence of the service serving CA in service account token secrets and on the pod filesystem: /var/run/secrets/kubernetes.io/serviceaccount/service-ca.crt As per https://bugzilla.redhat.com/show_bug.cgi?id=1845188 this change represents a backwards-incompatible change that was insufficiently communicated. Deferring to 4.6 and even then making this change will depend on being able to avoid breaking customer workloads. This change is already present in master (it was reverted for release-4.5) and awaits QA verification. Given a lack of visibility into the customer impact of this change, this change will not appear in 4.6. I dropped the removal PR as part of the 1.19 rebase. I'm closing for now and we can re-open if/when we can justify the time and energy required to not have this change negatively impact customers. |