Bug 1819247 - [4.4] Bound token ServiceAccountIssuer should resolve to the apiserver
Summary: [4.4] Bound token ServiceAccountIssuer should resolve to the apiserver
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: kube-apiserver
Version: 4.4
Hardware: Unspecified
OS: Unspecified
high
urgent
Target Milestone: ---
: 4.4.0
Assignee: Maru Newby
QA Contact: Xingxing Xia
URL:
Whiteboard:
Depends On: 1819246
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-03-31 14:33 UTC by Maru Newby
Modified: 2020-05-04 11:48 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of: 1819246
Environment:
Last Closed: 2020-05-04 11:47:45 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift api pull 624 None closed [release-4.4] Bug 1819247: Fix the default for Authentication.ServiceAccountIssuer 2020-04-16 10:55:28 UTC
Github openshift cluster-kube-apiserver-operator pull 823 None closed [release-4.4] Bug 1819247: Set service account issuer to internal dns name of kube apiserver 2020-04-16 10:55:29 UTC
Github openshift cluster-kube-apiserver-operator pull 829 None closed [release-4.4] Bug 1819247: Set service account issuer to internal dns name of kube apiserver 2020-04-16 10:55:29 UTC
Red Hat Product Errata RHBA-2020:0581 None None None 2020-05-04 11:48:12 UTC

Description Maru Newby 2020-03-31 14:33:10 UTC
+++ This bug was initially created as a clone of Bug #1819246 +++

The ServiceAccountIssuerDiscovery feature was added in kube 1.18 [1]. This feature enables testing that fails on openshift due to the use of a default ServiceAccountIssuer that does not point to the apiserver. The requirement to point to the apiserver was not clear when the default issuer was chosen for 4.4, and suggests that the default be changed to point to the apiserver for compatibility with upstream. 

Since bound service account tokens is new in 4.4, the only chance we have to update the default without breaking backwards compatibility is before 4.4 GA.


1: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md

Comment 3 Xingxing Xia 2020-04-17 11:05:19 UTC
Verified in latest 4.4.0-0.nightly-2020-04-17-044622 env launched this morning, got same result as bug 1819246#c4 . The minor issue of bug 1823792 still exists in 4.4, so cloning it as bug 1825194 .

Comment 5 errata-xmlrpc 2020-05-04 11:47:45 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581


Note You need to log in before you can comment on or make changes to this bug.