Closed jefflill closed 7 months ago
I was hoping I could set the LegacyServiceAccountTokenNoAutoGeneration=false
feature gate but it turns out that Kubernetes doesn't allow disabling GA features. I guess this makes sense because otherwise, the Kubernetes team would need to keep old feature code like this around.
I've updated our feature gate checks to handle this but unfortunately, this means we'll need to deal with TokenRequests immediately.
CLOSING: After further investigation, this wasn't actually the problem. I've gotten past this with the cilium port.
Starting with Kubernetes 1.25, the
LegacyServiceAccountTokenNoAutoGeneration=true
feature gate defaults to TRUE which breaks cluster setup and probably a lot of user Helm charts etc. by disabling automatic creation of service account tokens. This is a security enhancement that provides for service token expiration and rotation but requires that service tokens be explicitly created via the TokenRequest API.Kubernetes already provisions JWTs to workloads. This functionality is on by default and thus widely deployed. The current workload JWT system has serious issues:
https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens https://www.linkedin.com/pulse/service-account-token-changes-kubernetes-version-124-shafeeque-aslam https://programmingwithwolfgang.com/use-the-tokenrequest-api-to-create-tokens-in-kubernetes/
I've added
LegacyServiceAccountTokenNoAutoGeneration=false
as one of the required feature gates. We should look into removing this in the future.