Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-13226

Clarify automatically generated service account tokens

XMLWordPrintable

    • Moderate
    • No
    • 5
    • OSDOCS Sprint 237, OSDOCS Sprint 238, OSDOCS Sprint 239
    • 3
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      Kubernetes stopped creating secrets with tokens for service accounts in version 1.24. Less privileged tokens are still being created in OpenShift 4.11 and 4.12, but this is not explained clearly.

      Affected Links:

      1. https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html#ocp-4-11-notable-technical-changes [LegacyServiceAccountTokenNoAutoGeneration is on by default]
      2. https://docs.openshift.com/container-platform/4.11/authentication/using-service-accounts-in-applications.html#auto-generated-sa-token-secrets_using-service-accounts
      3. https://docs.openshift.com/container-platform/4.12/authentication/using-service-accounts-in-applications.html#auto-generated-sa-token-secrets_using-service-accounts
      

      Additional info:

      The links above initially state "a service account token secret is no longer automatically generated," but later point out that a service account token is still created. The release notes state that "These tokens do not work," but providing one of these tokens does allow for authenticating and listing API endpoints.
      
      The following changes would improve the documentation for security-sensitive users:
      1. Remove the contradictory statements that tokens are no longer created
      2. Remove the statement that the tokens do not work.
      3. Explain why OpenShift continues to generate tokens when upstream Kubernetes does not.
      4. Describe the more limited privileges of the tokens still being generated
      5. If possible, provide more detail about the plans to remove these tokens in future releases.

              rhn-support-ahoffer Andrea Hoffer
              rhn-support-dkaylor David Kaylor
              Zhongyuan Zhang Zhongyuan Zhang (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: