Bug 1819246
Summary: | Bound token ServiceAccountIssuer should resolve to the apiserver | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Maru Newby <mnewby> | |
Component: | kube-apiserver | Assignee: | Maru Newby <mnewby> | |
Status: | CLOSED ERRATA | QA Contact: | Xingxing Xia <xxia> | |
Severity: | urgent | Docs Contact: | ||
Priority: | high | |||
Version: | 4.5 | CC: | aos-bugs, kewang, mfojtik, sttts, xxia | |
Target Milestone: | --- | |||
Target Release: | 4.5.0 | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | No Doc Update | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1819247 (view as bug list) | Environment: | ||
Last Closed: | 2020-07-13 17:24:11 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1819247 |
Description
Maru Newby
2020-03-31 14:31:24 UTC
Per PR 809 code change, checked as the following, $ oc get configmaps config -n openshift-kube-apiserver -o json | jq .data.'"config.yaml"' | grep -E 'service-account-issuer|api-audiences|https://kubernetes.default.svc' ...\"apiServerArguments\":{\"api-audiences\":[\"https://kubernetes.default.svc\"],\"cloud-provider\":[\"aws\"],\"enable-aggregator-routing\":[\"true\"],\"feature-gates\":[\"RotateKubeletServerCertificate=true\",\"SupportPodPidsLimit=true\",\"NodeDisruptionExclusion=true\",\"ServiceNodeExclusion=true\",\"SCTPSupport=true\",\"LegacyNodeRoleBehavior=false\"],\"http2-max-streams-per-connection\":[\"2000\"],\"kubelet-preferred-address-types\":[\"InternalIP\"],\"max-mutating-requests-inflight\":[\"1000\"],\"max-requests-inflight\":[\"3000\"],\"service-account-issuer\":[\"https://kubernetes.default.svc\"], The changes has been found. As above comment 3, verified in 4.5.0-0.nightly-2020-04-13-213244, the value defaults to https://kubernetes.default.svc: [xxia 2020-04-14 21:51:59 CST my]$ oc extract configmaps/config -n openshift-kube-apiserver --confirm config.yaml [xxia 2020-04-14 21:52:36 CST my]$ mv config.yaml config.json [xxia 2020-04-14 21:52:43 CST my]$ vi config.json [xxia 2020-04-14 21:52:59 CST my]$ json2yaml config.json > config.yaml [xxia 2020-04-14 21:53:04 CST my]$ vi config.yaml ... apiServerArguments: api-audiences: - https://kubernetes.default.svc ... service-account-issuer: - https://kubernetes.default.svc ... Per this, moving to VERIFIED due to the backport need. BTW filed bug 1823792. As to other knowledge mentioned in bug https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md and PR https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery and possible tests, still need more time to investigate and try when free. (In reply to Xingxing Xia from comment #4) > As to other knowledge mentioned in bug > https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/ > 20190730-oidc-discovery.md and PR > https://kubernetes.io/docs/tasks/configure-pod-container/configure-service- > account/#service-account-issuer-discovery and possible tests, still need > more time to investigate and try when free. I don't believe further investigation is required at this time. oidc discovery is an alpha feature in 4.5/1.18 and not available at all in 4.4/1.17. Since changing a default would represent a backwards-incompatible change, the outcome of this bz was to ensure that the default would be compatible with the oidc discovery feature if/when it becomes supportable in the future. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:2409 |