New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
move BoundServiceAccountTokenVolume to beta #95667
Conversation
/cc @liggitt |
/sig auth |
This PR may require API review. If so, when the changes are ready, complete the pre-review checklist and request an API review. Status of requested reviews is tracked in the API Review project. |
the upgrade CI test results look good, thanks for seeing that through!
|
The release note needs to more explicitly indicate what new API server arguments are required (and that the BoundServiceAccountTokenVolume feature can be disabled if desired while in beta in lieu of providing the new arguments) |
that's what i was confused: those flags should be validated if
the apiserver will fail to start if those arguments are missing. how this feature can be disabled by not providing the new arguments? or use |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/milestone v1.21
@@ -165,7 +165,7 @@ func (o *BuiltInAuthenticationOptions) WithRequestHeader() *BuiltInAuthenticatio | |||
|
|||
// WithServiceAccounts set default value for service account authentication | |||
func (o *BuiltInAuthenticationOptions) WithServiceAccounts() *BuiltInAuthenticationOptions { | |||
o.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true} | |||
o.ServiceAccounts = &ServiceAccountAuthenticationOptions{Lookup: true, ExtendExpiration: true} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
move this to a separate PR for merging in 1.20
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -202,6 +202,14 @@ func getAPIServerCommand(cfg *kubeadmapi.ClusterConfiguration, localAPIEndpoint | |||
if cfg.APIServer.ExtraArgs == nil { | |||
cfg.APIServer.ExtraArgs = map[string]string{} | |||
} | |||
|
|||
// TODO: remove in 1.21. used for smooth transition in 1.19->1.20 upgrades around the BoundServiceAccountTokenVolume feature: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
BoundServiceAccountTokenVolume to beta will be held for 1.21, so this change can be dropped
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
/test pull-kubernetes-e2e-kind-ipv6 |
lgtm, will hold for 1.21 |
/remove-area kubeadm |
/test all |
/hold cancel |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, zshihang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@zshihang: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/retest |
What type of PR is this?
/kind feature
/kind api-change
What this PR does / why we need it:
graduate feature BoundServiceAccountTokenVolume to beta as the criteria is met.
https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens#alpha-beta
upgrade test is passing: https://k8s-testgrid.appspot.com/sig-auth-gce#upgrade-tests
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
KEP: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens