Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

separate RootCAConfigMap from BoundServiceAccountToken and Beta #24909

Merged
merged 1 commit into from
Nov 11, 2020
Merged

separate RootCAConfigMap from BoundServiceAccountToken and Beta #24909

merged 1 commit into from
Nov 11, 2020

Conversation

zshihang
Copy link
Contributor

@zshihang zshihang commented Nov 5, 2020

separate RootCAConfigMap from BoundServiceAccountToken, see #24854 (comment)

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Nov 5, 2020
@k8s-ci-robot k8s-ci-robot added language/en Issues or PRs related to English language sig/docs Categorizes an issue or PR as relevant to SIG Docs. labels Nov 5, 2020
@zshihang zshihang changed the base branch from master to dev-1.20 November 5, 2020 17:57
@zshihang
Copy link
Contributor Author

zshihang commented Nov 5, 2020
edited
Loading

issue is opened here: kubernetes/enhancements#542

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 5, 2020
@zshihang
Copy link
Contributor Author

zshihang commented Nov 5, 2020

/cc @liggitt

@netlify
Copy link

netlify bot commented Nov 5, 2020

Deploy preview for kubernetes-io-master-staging ready!

Built with commit d69bf37

https://deploy-preview-24909--kubernetes-io-master-staging.netlify.app

sftim
sftim reviewed Nov 5, 2020
View reviewed changes
Copy link
Contributor

@sftim sftim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @zshihang

Here's some wording suggestions.

content/en/docs/reference/command-line-tools-reference/feature-gates.md Outdated
@@ -512,6 +514,8 @@ Each feature gate is designed for enabling/disabling a specific feature:
the input Pod's cpu and memory limits. The intent is to break ties between
nodes with same scores.
- `ResourceQuotaScopeSelectors`: Enable resource quota scope selectors.
- `RootCAConfigMap`: Enable kube-controller-manager to publish a "kube-root-ca.crt" ConfigMap to every namespace. This ConfigMap contains a CA bundle used for verifying connections to the kube-apiserver.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi. I'd write this as:

Suggested change
- `RootCAConfigMap`: Enable kube-controller-manager to publish a "kube-root-ca.crt" ConfigMap to every namespace. This ConfigMap contains a CA bundle used for verifying connections to the kube-apiserver.
- `RootCAConfigMap`: Configure the kube-controller-manager to publish a {{< glossary_tooltip text="ConfigMap" term_id="configmap" >}} named `kube-root-ca.crt` to every namespace. This ConfigMap contains a CA bundle used for verifying connections to the kube-apiserver.

How does that look?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

content/en/docs/reference/command-line-tools-reference/feature-gates.md
@@ -512,6 +514,8 @@ Each feature gate is designed for enabling/disabling a specific feature:
the input Pod's cpu and memory limits. The intent is to break ties between
nodes with same scores.
- `ResourceQuotaScopeSelectors`: Enable resource quota scope selectors.
- `RootCAConfigMap`: Enable kube-controller-manager to publish a "kube-root-ca.crt" ConfigMap to every namespace. This ConfigMap contains a CA bundle used for verifying connections to the kube-apiserver.
See [Bound Service Account Tokens](https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/1205-bound-service-account-tokens/README.md) for more details.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we copy the relevant text from that KEP into pages inside https://kubernetes.io/docs/reference/access-authn-authz/ ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree the content should be in the website. I'd actually add it to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add it to https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection

That's a good idea too.
(I'm not keen on making task pages the only place to learn about features, because those can be hard to discover).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added to access-authn-authz/service-accounts-admin.md

@sftim
Copy link
Contributor

sftim commented Nov 5, 2020

/sig auth

@k8s-ci-robot k8s-ci-robot added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Nov 5, 2020
@savitharaghunathan
Copy link
Member

/milestone 1.20

@k8s-ci-robot k8s-ci-robot added this to the 1.20 milestone Nov 5, 2020
@annajung
Copy link
Contributor

annajung commented Nov 5, 2020
edited
Loading

based on the comment that you linked, I am wondering if this should be pointed to master branch since it's not being tracked by the release since the enhancement has been deferred to the next release?

@zshihang
Copy link
Contributor Author

zshihang commented Nov 5, 2020

the RootCAConfigMap is separated from BoundServiceAccountToken and we would like to document it. BoundServiceAccountToken is deferred to 1.21

this PR is merged kubernetes/kubernetes#96197

@annajung
Copy link
Contributor

annajung commented Nov 5, 2020

got it, thanks for the clarification @zshihang

@annajung
Copy link
Contributor

annajung commented Nov 5, 2020

/assign

@annajung
Copy link
Contributor

annajung commented Nov 9, 2020

Hi @zshihang, just wanted to follow up to remind you to look into the suggested changes. I believe this PR can be merged as soon as the feedbacks are addressed. Thank you!

@k8sio-netlify-preview-bot
Copy link
Collaborator

Deploy preview for kubernetes-io-vnext-staging processing.

Building with commit 0b4952d

https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/5fab1fd6acb62d0008eed78b

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Nov 10, 2020
@tengqm
Copy link
Contributor

tengqm commented Nov 11, 2020

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 11, 2020
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: f9ffb0e454b4734dd57e89f5a96418005b26c60d

irvifa
irvifa reviewed Nov 11, 2020
View reviewed changes
Copy link
Member

@irvifa irvifa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: irvifa

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 11, 2020
@k8s-ci-robot k8s-ci-robot merged commit b19e11d into kubernetes:dev-1.20 Nov 11, 2020
@mikedanese mikedanese mentioned this pull request Jan 20, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sftim sftim sftim left review comments

@irvifa irvifa irvifa left review comments

@daminisatya daminisatya Awaiting requested review from daminisatya

@deads2k deads2k Awaiting requested review from deads2k

@liggitt liggitt Awaiting requested review from liggitt

Assignees

@tengqm tengqm

@annajung annajung

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. language/en Issues or PRs related to English language lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/docs Categorizes an issue or PR as relevant to SIG Docs. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
1.20
Development

Successfully merging this pull request may close these issues.
9 participants
@zshihang @sftim @savitharaghunathan @annajung @k8sio-netlify-preview-bot @tengqm @k8s-ci-robot @liggitt @irvifa