NO-JIRA: Demonstrate trampoline pod write fix

[deads2k]

By using the serviceaccount node claim and validatingadmissionpolicy it is possible to restrict the ability of a serviceaccount to write particular resources to only those instances of resource/foo that have name == node-name or .spec.nodeName == node-name while allowing impeded access for other users. If it is using a serviceaccount token (most do), this requires no modification to the workload being restricted.

I can write up a more detailed enhancement/blog post if desired, but this demonstrates how it can be done with today's TechPreview technology (may require https://github.com/openshift/api/pull/1831).

Once https://github.com/openshift/origin/pull/28670 merges, this will automatically only run on TechPreview and be skipped on Default installations.

per request /cc @derekwaynecarr

likely interest /cc @mrunalp @knobunc

[openshift-ci-robot]

@deads2k: This pull request explicitly references no jira issue.

In response to [this](https://github.com/openshift/origin/pull/28673): >By using the serviceaccount node claim and validatingadmissionpolicy it is possible to restrict the ability of a serviceaccount to write particular resources to only those instances of resource/foo that have `name == node-name` or `.spec.nodeName == node-name` while allowing impeded access for other users. If it is using a serviceaccount token (most do), this requires no modification to the workload being restricted. > >I can write up a more detailed enhancement/blog post if desired, but this demonstrates how it can be done with today's TechPreview technology (may require https://github.com/openshift/api/pull/1831). > >Once https://github.com/openshift/origin/pull/28670 merges, this will automatically only run on TechPreview and be skipped on Default installations. > >per request >/cc @derekwaynecarr > >likely interest >/cc @mrunalp @knobunc Instructions for interacting with me using PR comments are available [here](https://prow.ci.openshift.org/command-help?repo=openshift%2Forigin). If you have questions or suggestions related to my behavior, please file an issue against the [openshift-eng/jira-lifecycle-plugin](https://github.com/openshift-eng/jira-lifecycle-plugin/issues/new) repository.

[deads2k]

Checking that skip now

/retest

[deads2k]

/test e2e-gcp-ovn-techpreview

[deads2k]

/retest

[openshift-trt-bot]

Job Failure Risk Analysis for sha: 9e430ae8c002146454cfc5d6ef8072a2014efa0a

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-agnostic-ovn-cmd	IncompleteTests Tests for this run (26) are below the historical average (469): IncompleteTests (not enough tests ran to make a reasonable risk analysis; this could be due to infra, installation, or upgrade problems)

[deads2k]

: [sig-auth][Feature:ServiceAccountTokenNodeBinding][OCPFeatureGate:ValidatingAdmissionPolicy] per-node SA tokens can restrict access by-node [Suite:openshift/conformance/parallel] passed on techpreview

[mrunalp]

fyi @cdoern @yuqi-zhang (for some of the items we need to address)

[xpivarc]

@deads2k any plans to make the extra info available on 4.17?

[deads2k]

@deads2k any plans to make the extra info available on 4.17?

I think that promotion will happen by default.

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/openshift/origin/blob/master/OWNERS)~~ [deads2k] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment

[deads2k]

/test e2e-gcp-ovn-techpreview

[openshift-trt-bot]

Job Failure Risk Analysis for sha: 19700295bd747374026887ca4434b570c6b2e029

Job Name	Failure Risk
pull-ci-openshift-origin-master-e2e-aws-ovn-single-node	Low [sig-arch] events should not repeat pathologically for ns/openshift-etcd This test has passed 75.51% of 49 runs on jobs ['periodic-ci-openshift-release-master-nightly-4.16-e2e-aws-ovn-single-node'] in the last 14 days.

[deads2k]

/test e2e-gcp-ovn-techpreview

[openshift-ci[bot]]

@deads2k: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/verify	826a620367cf5478eb1963cb37095371e10ed732	link	true	/test verify
ci/prow/e2e-aws-ovn-single-node-upgrade	826a620367cf5478eb1963cb37095371e10ed732	link	false	/test e2e-aws-ovn-single-node-upgrade
ci/prow/e2e-aws-ovn-single-node	826a620367cf5478eb1963cb37095371e10ed732	link	false	/test e2e-aws-ovn-single-node
ci/prow/e2e-gcp-ovn-builds	826a620367cf5478eb1963cb37095371e10ed732	link	true	/test e2e-gcp-ovn-builds
ci/prow/e2e-gcp-ovn-rt-upgrade	826a620367cf5478eb1963cb37095371e10ed732	link	false	/test e2e-gcp-ovn-rt-upgrade
ci/prow/e2e-metal-ipi-ovn-ipv6	826a620367cf5478eb1963cb37095371e10ed732	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-aws-ovn-edge-zones	826a620367cf5478eb1963cb37095371e10ed732	link	true	/test e2e-aws-ovn-edge-zones

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository. I understand the commands that are listed [here](https://go.k8s.io/bot-commands).