The ServiceAccountIssuerDiscovery feature was added in kube 1.18 . This feature enables testing that fails on openshift due to the use of a default ServiceAccountIssuer that does not point to the apiserver. The requirement to point to the apiserver was not clear when the default issuer was chosen for 4.4, and suggests that the default be changed to point to the apiserver for compatibility with upstream.
Since bound service account tokens is new in 4.4, the only chance we have to update the default without breaking backwards compatibility is before 4.4 GA.
Per PR 809 code change, checked as the following,
$ oc get configmaps config -n openshift-kube-apiserver -o json | jq .data.'"config.yaml"' | grep -E 'service-account-issuer|api-audiences|https://kubernetes.default.svc'
The changes has been found.
As above comment 3, verified in 4.5.0-0.nightly-2020-04-13-213244, the value defaults to https://kubernetes.default.svc:
[xxia 2020-04-14 21:51:59 CST my]$ oc extract configmaps/config -n openshift-kube-apiserver --confirm
[xxia 2020-04-14 21:52:36 CST my]$ mv config.yaml config.json
[xxia 2020-04-14 21:52:43 CST my]$ vi config.json
[xxia 2020-04-14 21:52:59 CST my]$ json2yaml config.json > config.yaml
[xxia 2020-04-14 21:53:04 CST my]$ vi config.yaml
Per this, moving to VERIFIED due to the backport need. BTW filed bug 1823792.
As to other knowledge mentioned in bug https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md and PR https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery and possible tests, still need more time to investigate and try when free.
(In reply to Xingxing Xia from comment #4)
> As to other knowledge mentioned in bug
> 20190730-oidc-discovery.md and PR
> account/#service-account-issuer-discovery and possible tests, still need
> more time to investigate and try when free.
I don't believe further investigation is required at this time. oidc discovery is an alpha feature in 4.5/1.18 and not available at all in 4.4/1.17. Since changing a default would represent a backwards-incompatible change, the outcome of this bz was to ensure that the default would be compatible with the oidc discovery feature if/when it becomes supportable in the future.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.