Outcome Overview

We have heard from several of our customers using OpenShift in production environments that auto-generation of secrets created as part of Service Accounts creation is a security issue flagged by customer's compliance and security teams. This is because these SA secrets have long-lived tokens that can be misused, and in a cluster with potentially hunderds of namespaces, the number of tokens/secrets generated can be in thousands. 

As part of our efforts to harden security of the platform and provide a secure configuration, we intend to not support Auto-generation of secrets for Service accounts.   

Success Criteria

Tokens/Secrets are not auto-generated when SAs are created. 

Expected Results (what, how, when)

Compliance teams requiring no long-lived credentials on the clusters will be able to meet their regulatory requirements.

Cluster administrators will be able to create SA and request tokens on a need-basis, thus they are aware of what is created on the cluster. 

Post Completion Review – Actual Results

After completing the work (as determined by the "when" in Expected Results above), list the actual results observed / measured during Post Completion review(s).