OSDOCS#10143: Updating that SA API token secrets are no longer automa… #75196
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
size/S
bergerhoffer
force-pushed
the
OSDOCS-10143
branch
from
fbb6a15
to
0149e2b
Compare
sanchezl
reviewed
Apr 29, 2024
bergerhoffer
force-pushed
the
OSDOCS-10143
branch
from
0149e2b
to
c2dce5c
Compare
openshift-ci
bot
added
size/M
|
@sanchezl Made a few updates if you can take another look. Moved all that info into the warning in creating legacy SA token secrets. Also a few of your earlier feedback I had followup questions on above. Thanks! |
sanchezl
reviewed
May 2, 2024
…tically generated
|
@bergerhoffer: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/label peer-review-needed |
openshift-ci
bot
added
the
peer-review-needed
|
Acknowledged
…On Tue, May 7, 2024 at 6:48 PM Andrea Hoffer ***@***.***> wrote:
@gangwgr <https://github.com/gangwgr> Can you please QE review?
Link to docs preview:
-
https://75196--ocpdocs-pr.netlify.app/openshift-enterprise/latest/nodes/pods/nodes-pods-secrets.html#auto-generated-sa-token-secrets_nodes-pods-secrets
-
https://75196--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/cluster-capabilities#cluster-image-registry-operator_cluster-capabilities
-
https://75196--ocpdocs-pr.netlify.app/openshift-enterprise/latest/nodes/pods/nodes-pods-secrets.html#nodes-pods-secrets-creating-sa_nodes-pods-secrets
—
Reply to this email directly, view it on GitHub
<#75196 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUXLSZ6NIAVGPLGFRNYCPV3ZBDIDBAVCNFSM6AAAAABGZP7EVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJYGM4DQMRZGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
/lgtm |
jeana-redhat
added
the
peer-review-in-progress
jeana-redhat
reviewed
May 7, 2024
| ==== | ||
| It is recommended to obtain bound service account tokens using the TokenRequest API instead of using service account token secrets. The tokens obtained from the TokenRequest API are more secure than the tokens stored in secrets, because they have a bounded lifetime and are not readable by other API clients. | ||
| It is recommended to obtain bound service account tokens using the TokenRequest API instead of using legacy service account token secrets. You should create a service account token secret only if you cannot use the TokenRequest API and if the security exposure of a non-expiring token in a readable API object is acceptable to you. |
There was a problem hiding this comment.
I don't think this is an exception to the ISG on prefixed hyphens
Suggested change
| It is recommended to obtain bound service account tokens using the TokenRequest API instead of using legacy service account token secrets. You should create a service account token secret only if you cannot use the TokenRequest API and if the security exposure of a non-expiring token in a readable API object is acceptable to you. | |
| It is recommended to obtain bound service account tokens using the TokenRequest API instead of using legacy service account token secrets. You should create a service account token secret only if you cannot use the TokenRequest API and if the security exposure of a nonexpiring token in a readable API object is acceptable to you. |
| @@ -39,7 +32,7 @@ include::modules/nodes-pods-secrets-creating-sa.adoc[leveloffset=+2] | |||
|
|
|||
| ifndef::openshift-rosa,openshift-dedicated[] | |||
|
|
|||
| * For information on requesting bound service account tokens, see xref:../../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Using bound service account tokens] | |||
| * For information on requesting bound service account tokens, see xref:../../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Configuring bound service account tokens using volume projection]. | |||
There was a problem hiding this comment.
Worth changing these additional resources items to the * xref:../../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Configuring bound service account tokens using volume projection] format?
openshift-ci
bot
added
peer-review-done
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…tically generated
Version(s):
4.16
Issue:
https://issues.redhat.com/browse/OSDOCS-10143
Link to docs preview:
QE review:
Additional information: