-
Bug
-
Resolution: Done
-
Critical
-
4.12, 4.11
-
None
-
Moderate
-
No
-
5
-
OSDOCS Sprint 237, OSDOCS Sprint 238, OSDOCS Sprint 239
-
3
-
False
-
Description of problem:
Kubernetes stopped creating secrets with tokens for service accounts in version 1.24. Less privileged tokens are still being created in OpenShift 4.11 and 4.12, but this is not explained clearly.
Affected Links:
1. https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html#ocp-4-11-notable-technical-changes [LegacyServiceAccountTokenNoAutoGeneration is on by default] 2. https://docs.openshift.com/container-platform/4.11/authentication/using-service-accounts-in-applications.html#auto-generated-sa-token-secrets_using-service-accounts 3. https://docs.openshift.com/container-platform/4.12/authentication/using-service-accounts-in-applications.html#auto-generated-sa-token-secrets_using-service-accounts
Additional info:
The links above initially state "a service account token secret is no longer automatically generated," but later point out that a service account token is still created. The release notes state that "These tokens do not work," but providing one of these tokens does allow for authenticating and listing API endpoints. The following changes would improve the documentation for security-sensitive users: 1. Remove the contradictory statements that tokens are no longer created 2. Remove the statement that the tokens do not work. 3. Explain why OpenShift continues to generate tokens when upstream Kubernetes does not. 4. Describe the more limited privileges of the tokens still being generated 5. If possible, provide more detail about the plans to remove these tokens in future releases.
- is related to
-
OCPBUGS-37431 "Using service accounts in applications" doc inconsistencies regarding legacy service account tokens
- New
-
OCPBUGS-34846 Ingress autoscaling was blocked due to token of the created serviceaccount thanos was none
- Closed
- links to