1819247 – [4.4] Bound token ServiceAccountIssuer should resolve to the apiserver

Bug 1819247 - [4.4] Bound token ServiceAccountIssuer should resolve to the apiserver

Summary: [4.4] Bound token ServiceAccountIssuer should resolve to the apiserver

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	kube-apiserver
Sub Component:
Version:	4.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	urgent
Target Milestone:	---
Target Release:	4.4.0
Assignee:	Maru Newby
QA Contact:	Xingxing Xia
Docs Contact:
URL:
Whiteboard:
Depends On:	1819246
Blocks:
TreeView+	depends on / blocked

Reported:	2020-03-31 14:33 UTC by Maru Newby
Modified:	2020-05-04 11:48 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:
Clone Of:	1819246
Environment:
Last Closed:	2020-05-04 11:47:45 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	openshift api pull 624	None	closed	[release-4.4] Bug 1819247: Fix the default for Authentication.ServiceAccountIssuer	2021-02-03 02:08:50 UTC
Github	openshift cluster-kube-apiserver-operator pull 823	None	closed	[release-4.4] Bug 1819247: Set service account issuer to internal dns name of kube apiserver	2021-02-03 02:08:50 UTC
Github	openshift cluster-kube-apiserver-operator pull 829	None	closed	[release-4.4] Bug 1819247: Set service account issuer to internal dns name of kube apiserver	2021-02-03 02:08:50 UTC
Red Hat Product Errata	RHBA-2020:0581	None	None	None	2020-05-04 11:48:12 UTC

Description Maru Newby 2020-03-31 14:33:10 UTC

+++ This bug was initially created as a clone of Bug #1819246 +++

The ServiceAccountIssuerDiscovery feature was added in kube 1.18 [1]. This feature enables testing that fails on openshift due to the use of a default ServiceAccountIssuer that does not point to the apiserver. The requirement to point to the apiserver was not clear when the default issuer was chosen for 4.4, and suggests that the default be changed to point to the apiserver for compatibility with upstream. 

Since bound service account tokens is new in 4.4, the only chance we have to update the default without breaking backwards compatibility is before 4.4 GA.


1: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md

Comment 3 Xingxing Xia 2020-04-17 11:05:19 UTC

Verified in latest 4.4.0-0.nightly-2020-04-17-044622 env launched this morning, got same result as bug 1819246#c4 . The minor issue of bug 1823792 still exists in 4.4, so cloning it as bug 1825194 .

Comment 5 errata-xmlrpc 2020-05-04 11:47:45 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581

Note You need to log in before you can comment on or make changes to this bug.