Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-242

No auto-generated secrets for SA when Registry is disabled


    • False
    • Hide


    • False
    • OCPSTRAT-890 No auto-generation of service account secrets
    • 0% To Do, 0% In Progress, 100% Done
    • 0
    • 0
    • Program Call

      Feature Overview (aka. Goal Summary)  

      Description of problem:

      Even though in 4.11 we introduced LegacyServiceAccountTokenNoAutoGeneration to be compatible with upstream K8s to not generate secrets with tokens when service accounts are created, today OpenShift still creates secrets and tokens that are used for legacy usage of openshift-controller as well as the image-pull secrets. 


      Customer issues:

      Customers see auto-generated secrets for service accounts which is flagged as a security risk. 


      This Feature is to track the implementation for removing legacy usage and image-pull secret generation as well so that NO secrets are auto-generated when a Service Account is created on OpenShift cluster. 


      Goals (aka. expected user outcomes)

      NO Secrets to be auto-generated when creating service accounts 

      Requirements (aka. Acceptance Criteria):

      Following *secrets need to NOT be generated automatically with every Serivce account creation:*  

      1. ImagePullSecrets : This is needed for Kubelet to fetch registry credentials directly. Implementation needed for the following upstream feature.
      2. Dockerconfig secrets: The openshift-controller-manager relies on the old token secrets and it creates them so that it's able to generate registry credentials for the SAs. There is a PR that was created to remove this https://github.com/openshift/openshift-controller-manager/pull/223.



       Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios.  Initial completion during Refinement status.


      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

      Concerns/Risks: Replacing functionality of one of the openshift-controller used for controllers that's been in the code for a long time may impact behaviors that w

      Out of Scope

      High-level list of items that are out of scope.  Initial completion during Refinement status.



      Provide any additional context is needed to frame the feature.  Initial completion during Refinement status.


      Customer Considerations

      Provide any additional customer-specific considerations that must be made when designing and delivering the Feature.  Initial completion during Refinement status.


      Documentation Considerations

      Existing documentation needs to be clear on where we are today and why we are providing the above 2 credentials. Related Tracker: https://issues.redhat.com/browse/OCPBUGS-13226 


      Interoperability Considerations

      Which other projects and versions in our portfolio does this feature impact?  What interoperability test scenarios should be factored by the layered products?  Initial completion during Refinement status.

            atelang@redhat.com Anjali Telang
            atelang@redhat.com Anjali Telang
            Michal Fojtik, Wallace Lewis
            Stanislav Láznička Stanislav Láznička
            Xingxing Xia Xingxing Xia
            Andrea Hoffer Andrea Hoffer
            David Eads David Eads
            Eric Rich Eric Rich
            0 Vote for this issue
            8 Start watching this issue