Bug 1819247

Summary: [4.4] Bound token ServiceAccountIssuer should resolve to the apiserver
Product: OpenShift Container Platform Reporter: Maru Newby <mnewby>
Component: kube-apiserverAssignee: Maru Newby <mnewby>
Status: CLOSED ERRATA QA Contact: Xingxing Xia <xxia>
Severity: urgent Docs Contact:
Priority: high    
Version: 4.4CC: aos-bugs, mfojtik, sttts, xxia
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 1819246 Environment:
Last Closed: 2020-05-04 11:47:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1819246    
Bug Blocks:    

Description Maru Newby 2020-03-31 14:33:10 UTC
+++ This bug was initially created as a clone of Bug #1819246 +++

The ServiceAccountIssuerDiscovery feature was added in kube 1.18 [1]. This feature enables testing that fails on openshift due to the use of a default ServiceAccountIssuer that does not point to the apiserver. The requirement to point to the apiserver was not clear when the default issuer was chosen for 4.4, and suggests that the default be changed to point to the apiserver for compatibility with upstream. 

Since bound service account tokens is new in 4.4, the only chance we have to update the default without breaking backwards compatibility is before 4.4 GA.

1: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md

Comment 3 Xingxing Xia 2020-04-17 11:05:19 UTC
Verified in latest 4.4.0-0.nightly-2020-04-17-044622 env launched this morning, got same result as bug 1819246#c4 . The minor issue of bug 1823792 still exists in 4.4, so cloning it as bug 1825194 .

Comment 5 errata-xmlrpc 2020-05-04 11:47:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.