Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-35181

CMA should support bound service account tokens

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • 4.17
    • Pod Autoscaler
    • None
    • Moderate
    • No
    • 3
    • PODAUTO - Sprint 264
    • 1
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The Cluster Metrics Autoscaler currently only supports the legacy service account token mechanism via the TriggerAuthentication secretTargetRef API fields.
      
      OpenShift is moving away from this legacy API for security reasons, and moving components to use bound service account tokens (https://docs.openshift.com/container-platform/4.15/authentication/bound-service-account-tokens.html). This authentication is more secure by being audience and time limited.

      Version-Release number of selected component (if applicable):

      4.17

      How reproducible:

      100%

      Steps to Reproduce:

      1. Use CMA
      2. No mechanism for bound service account tokens
      3.
      

      Actual results:

      Ability to use bound service account tokens

      Expected results:

      No ability to use bound service account tokens

      Additional info:

      The automatic creation of the legacy service account tokens has been disabled in 4.16.0 via https://issues.redhat.com/browse/API-1644. Though you can still manually create this legacy service account token, it's still considered less secure than the bound service account token mechanism.

      Slack Thread

              rh-ee-macao Max Cao
              gspence@redhat.com Grant Spence
              Sunil Choudhary Sunil Choudhary
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated: