Bug 1819246 - Bound token ServiceAccountIssuer should resolve to the apiserver
Summary: Bound token ServiceAccountIssuer should resolve to the apiserver
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.5
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: ---
: 4.5.0
Assignee: Maru Newby
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On:
Blocks: 1819247
TreeView+ depends on / blocked
 
Reported: 2020-03-31 14:31 UTC by Maru Newby
Modified: 2020-07-13 17:24 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
: 1819247 (view as bug list)
Environment:
Last Closed: 2020-07-13 17:24:11 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift api pull 617 0 None closed Bug 1819246: Fix the default for Authentication.ServiceAccountIssuer 2021-01-29 11:23:28 UTC
Github openshift cluster-kube-apiserver-operator pull 809 0 None closed Bug 1819246: Set service account issuer to internal dns name of kube apiserver 2021-01-29 11:24:15 UTC
Red Hat Product Errata RHBA-2020:2409 0 None None None 2020-07-13 17:24:31 UTC

Description Maru Newby 2020-03-31 14:31:24 UTC
The ServiceAccountIssuerDiscovery feature was added in kube 1.18 [1]. This feature enables testing that fails on openshift due to the use of a default ServiceAccountIssuer that does not point to the apiserver. The requirement to point to the apiserver was not clear when the default issuer was chosen for 4.4, and suggests that the default be changed to point to the apiserver for compatibility with upstream. 

Since bound service account tokens is new in 4.4, the only chance we have to update the default without breaking backwards compatibility is before 4.4 GA.


1: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md

Comment 3 Ke Wang 2020-04-14 09:07:19 UTC
Per PR 809 code change, checked as the following,

$ oc get configmaps config -n openshift-kube-apiserver -o json | jq .data.'"config.yaml"' | grep -E 'service-account-issuer|api-audiences|https://kubernetes.default.svc'

...\"apiServerArguments\":{\"api-audiences\":[\"https://kubernetes.default.svc\"],\"cloud-provider\":[\"aws\"],\"enable-aggregator-routing\":[\"true\"],\"feature-gates\":[\"RotateKubeletServerCertificate=true\",\"SupportPodPidsLimit=true\",\"NodeDisruptionExclusion=true\",\"ServiceNodeExclusion=true\",\"SCTPSupport=true\",\"LegacyNodeRoleBehavior=false\"],\"http2-max-streams-per-connection\":[\"2000\"],\"kubelet-preferred-address-types\":[\"InternalIP\"],\"max-mutating-requests-inflight\":[\"1000\"],\"max-requests-inflight\":[\"3000\"],\"service-account-issuer\":[\"https://kubernetes.default.svc\"],

The changes has been found.

Comment 4 Xingxing Xia 2020-04-14 14:08:07 UTC
As above comment 3, verified in 4.5.0-0.nightly-2020-04-13-213244, the value defaults to https://kubernetes.default.svc:
[xxia 2020-04-14 21:51:59 CST my]$ oc extract configmaps/config -n openshift-kube-apiserver --confirm
config.yaml
[xxia 2020-04-14 21:52:36 CST my]$ mv config.yaml config.json
[xxia 2020-04-14 21:52:43 CST my]$ vi config.json
[xxia 2020-04-14 21:52:59 CST my]$ json2yaml config.json > config.yaml
[xxia 2020-04-14 21:53:04 CST my]$ vi config.yaml
...
apiServerArguments:
  api-audiences:
  - https://kubernetes.default.svc
...
  service-account-issuer:
  - https://kubernetes.default.svc
...

Per this, moving to VERIFIED due to the backport need. BTW filed bug 1823792.
As to other knowledge mentioned in bug https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md and PR https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery and possible tests, still need more time to investigate and try when free.

Comment 5 Maru Newby 2020-04-14 15:51:19 UTC
(In reply to Xingxing Xia from comment #4)
> As to other knowledge mentioned in bug
> https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/
> 20190730-oidc-discovery.md and PR
> https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-
> account/#service-account-issuer-discovery and possible tests, still need
> more time to investigate and try when free.

I don't believe further investigation is required at this time. oidc discovery is an alpha feature in 4.5/1.18 and not available at all in 4.4/1.17. Since changing a default would represent a backwards-incompatible change, the outcome of this bz was to ensure that the default would be compatible with the oidc discovery feature if/when it becomes supportable in the future.

Comment 7 errata-xmlrpc 2020-07-13 17:24:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409


Note You need to log in before you can comment on or make changes to this bug.