diff --git a/authentication/using-service-accounts-in-applications.adoc b/authentication/using-service-accounts-in-applications.adoc index 90a236ddc3..1111a6f63e 100644 --- a/authentication/using-service-accounts-in-applications.adoc +++ b/authentication/using-service-accounts-in-applications.adoc @@ -10,11 +10,11 @@ include::modules/service-accounts-overview.adoc[leveloffset=+1] include::modules/service-accounts-default.adoc[leveloffset=+1] -// remove these links for 4.12+ +include::modules/service-account-auto-secret-removed.adoc[leveloffset=+2] .Additional resources -* For information about requesting bound service account tokens, see xref:../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Configuring bound service account tokens using volume projection] +* For information about requesting bound service account tokens, see xref:../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Configuring bound service account tokens using volume projection]. * For information about creating a service account token secret, see xref:../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating-sa_nodes-pods-secrets[Creating a service account token secret]. diff --git a/modules/nodes-pods-secrets-about.adoc b/modules/nodes-pods-secrets-about.adoc index 9ead375859..c86338275b 100644 --- a/modules/nodes-pods-secrets-about.adoc +++ b/modules/nodes-pods-secrets-about.adoc @@ -84,7 +84,3 @@ For examples of different secret types, see the code samples in _Using Secrets_. == Secret data keys Secret keys must be in a DNS subdomain. - -// remove this snippet for 4.12+ - -include::snippets/service-account-auto-secret-removed.adoc[] diff --git a/modules/service-account-auto-secret-removed.adoc b/modules/service-account-auto-secret-removed.adoc new file mode 100644 index 0000000000..8b527677bd --- /dev/null +++ b/modules/service-account-auto-secret-removed.adoc @@ -0,0 +1,29 @@ +// Module included in the following assemblies: +// +// * authentication/using-service-accounts-in-applications.adoc +// * pods/nodes-pods-secrets.adoc + +:_content-type: CONCEPT +[id="auto-generated-sa-token-secrets_{context}"] += About automatically generated service account token secrets + +When a service account is created, a service account token secret is automatically generated for it. This service account token secret, along with an automatically generated docker configuration secret, is used to authenticate to the internal {product-title} registry. Do not rely on these automatically generated secrets for your own use; they might be removed in a future {product-title} release. + +[NOTE] +==== +Prior to {product-title} 4.11, a second service account token secret was generated when a service account was created. This service account token secret was used to access the Kubernetes API. + +Starting with {product-title} 4.11, this second service account token secret is no longer created. This is because the `LegacyServiceAccountTokenNoAutoGeneration` upstream Kubernetes feature gate was enabled, which stops the automatic generation of secret-based service account tokens to access the Kubernetes API. + +After upgrading to {product-version}, any existing service account token secrets are not deleted and continue to function. +==== + +Workloads are automatically injected with a projected volume to obtain a bound service account token. If your workload needs an additional service account token, add an additional projected volume in your workload manifest. Bound service account tokens are more secure than service account token secrets for the following reasons: + +* Bound service account tokens have a bounded lifetime. +* Bound service account tokens contain audiences. +* Bound service account tokens can be bound to pods or secrets and the bound tokens are invalidated when the bound object is removed. + +For more information, see _Configuring bound service account tokens using volume projection_. + +You can also manually create a service account token secret to obtain a token, if the security exposure of a non-expiring token in a readable API object is acceptable to you. For more information, see _Creating a service account token secret_. diff --git a/modules/service-accounts-default.adoc b/modules/service-accounts-default.adoc index 7967014aed..d4ca2b17c4 100644 --- a/modules/service-accounts-default.adoc +++ b/modules/service-accounts-default.adoc @@ -71,7 +71,3 @@ viewing and modifying replication controllers and pods in the project. All service accounts in a project are given the `system:image-puller` role, which allows pulling images from any imagestream in the project using the internal container image registry. - -// remove this snippet for 4.12+ - -include::snippets/service-account-auto-secret-removed.adoc[] diff --git a/nodes/pods/nodes-pods-secrets.adoc b/nodes/pods/nodes-pods-secrets.adoc index ca3f5baa21..82e1e7582b 100644 --- a/nodes/pods/nodes-pods-secrets.adoc +++ b/nodes/pods/nodes-pods-secrets.adoc @@ -10,14 +10,9 @@ Some applications need sensitive information, such as passwords and user names, As an administrator, you can use `Secret` objects to provide this information without exposing that information in clear text. -// The following include statements pull in the module files that comprise -// the assembly. Include any combination of concept, procedure, or reference -// modules required to cover the user story. You can also include other -// assemblies. - include::modules/nodes-pods-secrets-about.adoc[leveloffset=+1] -// remove these links for 4.12+ +include::modules/service-account-auto-secret-removed.adoc[leveloffset=+2] .Additional resources diff --git a/snippets/service-account-auto-secret-removed.adoc b/snippets/service-account-auto-secret-removed.adoc deleted file mode 100644 index 0a4c744a9e..0000000000 --- a/snippets/service-account-auto-secret-removed.adoc +++ /dev/null @@ -1,16 +0,0 @@ -// When including this file, ensure that {FeatureName} is set immediately before -// the include. Otherwise it will result in an incorrect replacement. - -[id="auto-generated-sa-token-secrets_{context}"] -== About automatically-generated service account token secrets - -In {product-version}, {product-title} is adopting an link:https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes-1[enhancement from upstream Kubernetes], which enables the `LegacyServiceAccountTokenNoAutoGeneration` feature by default. As a result, when creating new service accounts (SA), a service account token secret is no longer automatically generated. Previously, {product-title} automatically added a service account token to a secret for each new SA. - -However, some features and workloads need service account token secrets to communicate with the Kubernetes API server, for example, the OpenShift Controller Manager. While this requirement will be changed in a future release, it remains in {product-title} {product-version}. As a result, if you need a service account token secret, you must manually use the TokenRequest API to request bound service account tokens or create a service account token secret. - -After upgrading to {product-version}, existing service account token secrets are not deleted and continue to function as expected. - -[NOTE] -==== -In {product-version}, service account token secrets are still automatically generated. Instead of creating two secrets per service account, {product-title} now only creates one. In a future release, the number will be further reduced to zero. Note that `dockercfg` secrets are still generated and no secrets are deleted during upgrades. -====