New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OSDOCS#10143: Updating that SA API token secrets are no longer automa… #75196
base: main
Are you sure you want to change the base?
Conversation
fbb6a15
to
0149e2b
Compare
0149e2b
to
c2dce5c
Compare
@sanchezl Made a few updates if you can take another look. Moved all that info into the warning in creating legacy SA token secrets. Also a few of your earlier feedback I had followup questions on above. Thanks! |
…tically generated
@bergerhoffer: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/label peer-review-needed |
Acknowledged
…On Tue, May 7, 2024 at 6:48 PM Andrea Hoffer ***@***.***> wrote:
@gangwgr <https://github.com/gangwgr> Can you please QE review?
Link to docs preview:
-
https://75196--ocpdocs-pr.netlify.app/openshift-enterprise/latest/nodes/pods/nodes-pods-secrets.html#auto-generated-sa-token-secrets_nodes-pods-secrets
-
https://75196--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/cluster-capabilities#cluster-image-registry-operator_cluster-capabilities
-
https://75196--ocpdocs-pr.netlify.app/openshift-enterprise/latest/nodes/pods/nodes-pods-secrets.html#nodes-pods-secrets-creating-sa_nodes-pods-secrets
—
Reply to this email directly, view it on GitHub
<#75196 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AUXLSZ6NIAVGPLGFRNYCPV3ZBDIDBAVCNFSM6AAAAABGZP7EVGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAOJYGM4DQMRZGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One ISG nit and a legacy content update to consider, LGTM though
/remove-label peer-review-in-progress
/remove-label peer-review-needed
/label peer-review-done
==== | ||
It is recommended to obtain bound service account tokens using the TokenRequest API instead of using service account token secrets. The tokens obtained from the TokenRequest API are more secure than the tokens stored in secrets, because they have a bounded lifetime and are not readable by other API clients. | ||
It is recommended to obtain bound service account tokens using the TokenRequest API instead of using legacy service account token secrets. You should create a service account token secret only if you cannot use the TokenRequest API and if the security exposure of a non-expiring token in a readable API object is acceptable to you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think this is an exception to the ISG on prefixed hyphens
It is recommended to obtain bound service account tokens using the TokenRequest API instead of using legacy service account token secrets. You should create a service account token secret only if you cannot use the TokenRequest API and if the security exposure of a non-expiring token in a readable API object is acceptable to you. | |
It is recommended to obtain bound service account tokens using the TokenRequest API instead of using legacy service account token secrets. You should create a service account token secret only if you cannot use the TokenRequest API and if the security exposure of a nonexpiring token in a readable API object is acceptable to you. |
@@ -39,7 +32,7 @@ include::modules/nodes-pods-secrets-creating-sa.adoc[leveloffset=+2] | |||
|
|||
ifndef::openshift-rosa,openshift-dedicated[] | |||
|
|||
* For information on requesting bound service account tokens, see xref:../../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Using bound service account tokens] | |||
* For information on requesting bound service account tokens, see xref:../../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Configuring bound service account tokens using volume projection]. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth changing these additional resources items to the * xref:../../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Configuring bound service account tokens using volume projection]
format?
…tically generated
Version(s):
4.16
Issue:
https://issues.redhat.com/browse/OSDOCS-10143
Link to docs preview:
QE review:
Additional information: