Bug 1819246

Summary: Bound token ServiceAccountIssuer should resolve to the apiserver
Product: OpenShift Container Platform Reporter: Maru Newby <mnewby>
Component: kube-apiserverAssignee: Maru Newby <mnewby>
Status: CLOSED ERRATA QA Contact: Xingxing Xia <xxia>
Severity: urgent Docs Contact:
Priority: high    
Version: 4.5CC: aos-bugs, kewang, mfojtik, sttts, xxia
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1819247 (view as bug list) Environment:
Last Closed: 2020-07-13 17:24:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1819247    

Description Maru Newby 2020-03-31 14:31:24 UTC 
The ServiceAccountIssuerDiscovery feature was added in kube 1.18 [1]. This feature enables testing that fails on openshift due to the use of a default ServiceAccountIssuer that does not point to the apiserver. The requirement to point to the apiserver was not clear when the default issuer was chosen for 4.4, and suggests that the default be changed to point to the apiserver for compatibility with upstream. 

Since bound service account tokens is new in 4.4, the only chance we have to update the default without breaking backwards compatibility is before 4.4 GA.


1: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md
Comment 3 Ke Wang 2020-04-14 09:07:19 UTC 
Per PR 809 code change, checked as the following,

$ oc get configmaps config -n openshift-kube-apiserver -o json | jq .data.'"config.yaml"' | grep -E 'service-account-issuer|api-audiences|https://kubernetes.default.svc'

...\"apiServerArguments\":{\"api-audiences\":[\"https://kubernetes.default.svc\"],\"cloud-provider\":[\"aws\"],\"enable-aggregator-routing\":[\"true\"],\"feature-gates\":[\"RotateKubeletServerCertificate=true\",\"SupportPodPidsLimit=true\",\"NodeDisruptionExclusion=true\",\"ServiceNodeExclusion=true\",\"SCTPSupport=true\",\"LegacyNodeRoleBehavior=false\"],\"http2-max-streams-per-connection\":[\"2000\"],\"kubelet-preferred-address-types\":[\"InternalIP\"],\"max-mutating-requests-inflight\":[\"1000\"],\"max-requests-inflight\":[\"3000\"],\"service-account-issuer\":[\"https://kubernetes.default.svc\"],

The changes has been found.
Comment 4 Xingxing Xia 2020-04-14 14:08:07 UTC 
As above comment 3, verified in 4.5.0-0.nightly-2020-04-13-213244, the value defaults to https://kubernetes.default.svc:
[xxia 2020-04-14 21:51:59 CST my]$ oc extract configmaps/config -n openshift-kube-apiserver --confirm
config.yaml
[xxia 2020-04-14 21:52:36 CST my]$ mv config.yaml config.json
[xxia 2020-04-14 21:52:43 CST my]$ vi config.json
[xxia 2020-04-14 21:52:59 CST my]$ json2yaml config.json > config.yaml
[xxia 2020-04-14 21:53:04 CST my]$ vi config.yaml
...
apiServerArguments:
  api-audiences:
  - https://kubernetes.default.svc
...
  service-account-issuer:
  - https://kubernetes.default.svc
...

Per this, moving to VERIFIED due to the backport need. BTW filed bug 1823792.
As to other knowledge mentioned in bug https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md and PR https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery and possible tests, still need more time to investigate and try when free.
Comment 5 Maru Newby 2020-04-14 15:51:19 UTC 
(In reply to Xingxing Xia from comment #4)
> As to other knowledge mentioned in bug
> https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/
> 20190730-oidc-discovery.md and PR
> https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-
> account/#service-account-issuer-discovery and possible tests, still need
> more time to investigate and try when free.

I don't believe further investigation is required at this time. oidc discovery is an alpha feature in 4.5/1.18 and not available at all in 4.4/1.17. Since changing a default would represent a backwards-incompatible change, the outcome of this bz was to ensure that the default would be compatible with the oidc discovery feature if/when it becomes supportable in the future.
Comment 7 errata-xmlrpc 2020-07-13 17:24:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409