Bug 1695196 - [DOCS] Document lack of audience support in 4.1
Summary: [DOCS] Document lack of audience support in 4.1
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
high
low
Target Milestone: ---
: 4.1.0
Assignee: Andrew Taylor
QA Contact: scheng
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-04-02 16:12 UTC by David Eads
Modified: 2019-06-05 13:18 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-05 13:18:50 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description David Eads 2019-04-02 16:12:24 UTC
As I understand audiences, I can request a token that has a specific audience, but if the kube-apiserver isn't configured to honor audiences, that token would still be valid for the KAS even if I specified a different audience and the is unexpected.

Comment 2 Mo 2019-04-04 20:04:53 UTC
Assigning to Christian so we can doc that SA token requests and project volumes with serviceAccountToken mount will not work in 4.1

This is not a security issue in 4.1 as:

1. There is no way to request a SA token with an audience in 4.1
2. The authenticator required to honor said token is not enabled in 4.1
3. The kubelet will error if a serviceAccountToken projected volume is used

Thus, there is no risk that a token with an audience will be issued while the audience restriction is "ignored."

Comment 7 Andrew Taylor 2019-05-29 18:04:33 UTC
The following statement has been verified with QA and will be included in the "known issues" section of the release notes: 

Requesting a `ServiceAccountTokenVolumeProjection` is not available in {product-title} 4.1. The
authenticator required to honor the token is not enabled in this release, and
the kubelet will present an error if a `ServiceAccountTokenVolumeProjection` is used. 

This has been added to the 4.1 release note tracker here (which will be merged closer to GA) :
https://github.com/openshift/openshift-docs/pull/15039


Thanks,
Andrew

Comment 8 Mo 2019-05-29 18:32:49 UTC
For completeness:



The TokenRequest API is not available in {product-title} 4.1.

Requesting a `ServiceAccountTokenVolumeProjection` volume is not available in {product-title} 4.1.
The kubelet will present an error if a `ServiceAccountTokenVolumeProjection` is used. 

The authenticator required to honor these tokens is not enabled in this release.

Comment 9 Andrew Taylor 2019-05-29 19:42:33 UTC
Excellent, thank you Mo. I've pushed updated the text verbatim.

Setting this bug to verified, and will move it to release pending when it has been merged per documentation standards.

Comment 10 Andrew Taylor 2019-06-05 13:18:50 UTC
These changes are now live since OCP 4.1 has GA'ed, closing this bug as current release.

Thanks,
Andrew


Note You need to log in before you can comment on or make changes to this bug.