Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

KEP-4193: Update milestone for v1.30 & clarify latest state #4470

Merged
merged 5 commits into from
Feb 7, 2024
Merged

KEP-4193: Update milestone for v1.30 & clarify latest state #4470

merged 5 commits into from
Feb 7, 2024
+115 −13

Conversation

munnerz
Copy link
Member

@munnerz munnerz commented Feb 1, 2024

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Feb 1, 2024
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Feb 1, 2024
@munnerz munnerz mentioned this pull request Feb 1, 2024
Open
25 tasks
@liggitt
Copy link
Member

liggitt commented Feb 1, 2024

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 1, 2024
@liggitt
Copy link
Member

liggitt commented Feb 1, 2024

/assign @deads2k
for PRR ack

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Feb 5, 2024
@munnerz munnerz changed the title KEP-4193: Update milestone for 1.30 KEP-4193: Update milestone for v1.30 & clarify latest state Feb 5, 2024
enj
enj reviewed Feb 5, 2024
View reviewed changes
Copy link
Member

@enj enj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit, LGTM

keps/sig-auth/4193-bound-service-account-token-improvements/README.md Outdated Show resolved Hide resolved
@munnerz @enj
Update keps/sig-auth/4193-bound-service-account-token-improvements/RE…
ab8d240 
…ADME.md

Co-authored-by: Mo Khan <i@monis.app>
@liggitt
Copy link
Member

liggitt commented Feb 5, 2024

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 5, 2024
soltysh
soltysh reviewed Feb 5, 2024
View reviewed changes
Copy link
Contributor

@soltysh soltysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#prr-shadow

keps/sig-auth/4193-bound-service-account-token-improvements/README.md Show resolved Hide resolved
keps/sig-auth/4193-bound-service-account-token-improvements/README.md

This JTI is then used for a further audit log lookup - namely, looking for the TokenRequest `create` call which contains
the audit annotation with key `authentication.kubernetes.io/token-identifier` and the value set to that of the suspect token.
the audit annotation with key `authentication.kubernetes.io/issued-credential-id` and the value set to that of the suspect token.

This allows Bob to determine precisely who made the original request for this token, and (depending on the 'chain'
above this token), allows Bob to recursively perform this lookup to find all involved parties that led to this token
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the Test Plan section, please:

  1. Make sure to check the checkbox in the first paragraph.
  2. Make sure to update the test coverage for modified packages in Unit tests.
  3. Make sure to provide links for e2e and integration tests to testgrid.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've gone through and done all these, though for (3), this whole area (bound service account token issuance) doesn't have any e2e or conformance tests as it is - it's all being tested via integration tests at the moment.

Does that mean I should do the same here (which is already complete), or is e2e/conformance testing for all changes a new requirement added since we added bound tokens in ~1.21-ish?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've gone through and done all these, though for (3), this whole area (bound service account token issuance) doesn't have any e2e or conformance tests as it is - it's all being tested via integration tests at the moment.

Integration seems sufficient, but please make sure to link it in the appropriate section. About e2e I'll leave it up to you and auth approvers.

keps/sig-auth/4193-bound-service-account-token-improvements/README.md Outdated Show resolved Hide resolved
keps/sig-auth/4193-bound-service-account-token-improvements/README.md
The `ServiceAccountTokenNodeBindingValidation` feature will graduate to beta one release earlier than `ServiceAccountTokenNodeBinding`
to ensure a safe rollback from version N+1 to N (more info below in rollback considerations section).

All other feature flags can be disabled without any unexpected adverse affects or coordination required.

###### How can this feature be enabled / disabled in a live cluster?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Further down in the doc, please:

  1. Answer the question ###### Were upgrade and rollback tested? Was the upgrade->downgrade->upgrade path tested?.
  2. ###### What are other known failure modes? should probably list the feature enablement ordering issue.
  3. ###### What steps should be taken if SLOs are not being met to determine the problem? needs an answer
  4. Implementation history needs update

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for (1), what kind of test should I actually perform at each stage of upgrade->downgrade->upgrade again? given this touches a subset of tokens that can be used to authenticate to an apiserver, is it sufficient to just test that these credentials are valid/invalid depending on the upgrade/downgrade (or enablement) status? Is simply enabling the gates and then disabling them again sufficient, or would you expect a full apiserver upgrade to be performed?

for (2), I've not included this as I've added an additional check into the apiserver to prevent startup if the wrong combination of gates is enabled (see #4470 (comment))

(3) and (4) have been completed

thanks!

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for (1), what kind of test should I actually perform at each stage of upgrade->downgrade->upgrade again? given this touches a subset of tokens that can be used to authenticate to an apiserver, is it sufficient to just test that these credentials are valid/invalid depending on the upgrade/downgrade (or enablement) status? Is simply enabling the gates and then disabling them again sufficient, or would you expect a full apiserver upgrade to be performed?

yup, that sounds sufficient.

for (2), I've not included this as I've added an additional check into the apiserver to prevent startup if the wrong combination of gates is enabled (see #4470 (comment))

thank you!

(3) and (4) have been completed

thank you!

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed lgtm "Looks good to me", indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Feb 6, 2024
@soltysh
Copy link
Contributor

soltysh commented Feb 6, 2024

#prr-shadow
so we're down to two rather minor bits:

  1. upgrade description (KEP-4193: Update milestone for v1.30 & clarify latest state #4470 (comment))
  2. integration links (KEP-4193: Update milestone for v1.30 & clarify latest state #4470 (comment))

@k8s-ci-robot k8s-ci-robot removed the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Feb 7, 2024
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Feb 7, 2024
@munnerz
Copy link
Member Author

munnerz commented Feb 7, 2024

#prr-shadow so we're down to two rather minor bits:

  1. upgrade description (KEP-4193: Update milestone for v1.30 & clarify latest state #4470 (comment))
  2. integration links (KEP-4193: Update milestone for v1.30 & clarify latest state #4470 (comment))

thanks! i've added a description of upgrade/downgrade (or rather, feature enablement/disablement) as well as links to integration tests.

soltysh
soltysh reviewed Feb 7, 2024
View reviewed changes
Copy link
Contributor

@soltysh soltysh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#prr-shadow
the prr lgtm

@deads2k
Copy link
Contributor

deads2k commented Feb 7, 2024

lgtm both for sig-auth and prr

/tide merge-method-squash
/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 7, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, liggitt, munnerz

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Feb 7, 2024
@k8s-ci-robot k8s-ci-robot merged commit e95fd98 into kubernetes:master Feb 7, 2024
4 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.30 milestone Feb 7, 2024
@munnerz munnerz deleted the 4193-update-milestone branch February 7, 2024 16:01
@soltysh soltysh mentioned this pull request Apr 3, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@soltysh soltysh soltysh left review comments

@enj enj enj left review comments

@jeremyrickard jeremyrickard Awaiting requested review from jeremyrickard

@mikedanese mikedanese Awaiting requested review from mikedanese

Assignees

@liggitt liggitt

@deads2k deads2k

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
SIG Auth
Archived in project
Milestone
v1.30
Development

Successfully merging this pull request may close these issues.
6 participants
@munnerz @liggitt @soltysh @deads2k @k8s-ci-robot @enj