-
Bug
-
Resolution: Unresolved
-
Normal
-
None
-
4.17
-
None
-
Moderate
-
No
-
3
-
PODAUTO - Sprint 265
-
1
-
False
-
Description of problem:
The Cluster Metrics Autoscaler currently only supports the legacy service account token mechanism via the TriggerAuthentication secretTargetRef API fields. OpenShift is moving away from this legacy API for security reasons, and moving components to use bound service account tokens (https://docs.openshift.com/container-platform/4.15/authentication/bound-service-account-tokens.html). This authentication is more secure by being audience and time limited.
Version-Release number of selected component (if applicable):
4.17
How reproducible:
100%
Steps to Reproduce:
1. Use CMA 2. No mechanism for bound service account tokens 3.
Actual results:
Ability to use bound service account tokens
Expected results:
No ability to use bound service account tokens
Additional info:
The automatic creation of the legacy service account tokens has been disabled in 4.16.0 via https://issues.redhat.com/browse/API-1644. Though you can still manually create this legacy service account token, it's still considered less secure than the bound service account token mechanism.
- relates to
-
OCPBUGS-34846 Ingress autoscaling was blocked due to token of the created serviceaccount thanos was none
- Closed