ServiceAccountIssuerDiscovery: Add user facing documentation #19328
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Deploy preview for kubernetes-io-vnext-staging processing. Building with commit 39a7d4f https://app.netlify.com/sites/kubernetes-io-vnext-staging/deploys/5e6660592c539200084f9b62 |
k8s-ci-robot
added
size/M
|
This looks like it's pending approval for v1.18 release? If so, @mtaufen, you might want to add a /hold |
There was a problem hiding this comment.
@mtaufen thanks for this. Here's some feedback.
Somewhat related to this PR: I recommend creating a new task webpage that explains how to set up Service Account Issuer Discovery and to set --service-account-jwks-uri appropriately.
For the alpha, it's enough to file the issue (against k/website). Please consider adding that task page as a requirement for graduation to beta.
In the issue, mention that this section should link to the new task page.
|
|
||
| {{< note >}} | ||
| The Service Account Issuer Discovery feature is __alpha__ in 1.18 and enabled by | ||
| setting the `ServiceAccountIssuerDiscovery` feature gate to `true` and then |
There was a problem hiding this comment.
| setting the `ServiceAccountIssuerDiscovery` feature gate to `true` and then | |
| enabling the `ServiceAccountIssuerDiscovery` [feature gate](/docs/reference/command-line-tools-reference/feature-and then |
| {{< feature-state for_k8s_version="v1.18" state="alpha" >}} | ||
|
|
||
| {{< note >}} | ||
| The Service Account Issuer Discovery feature is __alpha__ in 1.18 and enabled by |
There was a problem hiding this comment.
This is repeating the feature-state line. I would tell readers how to enable the feature gate (what component?) and omit the repetition.
| Note that the issuer URL must comply with the | ||
| [OIDC Discovery Spec](https://openid.net/specs/openid-connect-discovery-1_0.html). In | ||
| practice, this means it must use the `https` scheme, and should serve an OpenID | ||
| provider configuration at `{service-account-issuer}/.well-known/openid-configuration`. |
There was a problem hiding this comment.
I'd start the {{< note >}} here (move the advice about enabling the feature gate to be before the note block).
| service account tokens issued by a cluster (the _identity provider_) with | ||
| external systems (_relying parties_). | ||
|
|
||
| When enabled, the Kubernetes API server will serve an OpenID Provider |
There was a problem hiding this comment.
| When enabled, the Kubernetes API server will serve an OpenID Provider | |
| When enabled, the Kubernetes API server provides a public OpenID Provider |
There was a problem hiding this comment.
Done. Also added clarification on RBAC, thanks for the reminder with your comment about "public."
| {{< note >}} | ||
| The responses served at `/.well-known/openid-configuration` and | ||
| `/openid/v1/jwks` are designed to be OIDC compatible, but not strictly OIDC | ||
| compliant. Today they contain only the parameters necessary to perform |
There was a problem hiding this comment.
| compliant. Today they contain only the parameters necessary to perform | |
| compliant. Those documents contain only the parameters necessary to perform |
(“today” looks a bit like a statement about the future; see https://kubernetes.io/docs/contribute/style/style-guide/#avoid-statements-about-the-future)
I would definitely remove:
Additional, parameters may be
added if it is determined that doing so improves compatibility with common
client implementations used by relying parties.That kind of detail belongs in the KEP.
There was a problem hiding this comment.
Yup, already in the KEP. Sounds good. Done.
| client implementations used by relying parties. | ||
| {{< /note >}} | ||
|
|
||
| The JWKS contains public keys that can be used to validate the Kubernetes |
There was a problem hiding this comment.
| The JWKS contains public keys that can be used to validate the Kubernetes | |
| The JWKS response contains public keys that can a relying party can use to validate the Kubernetes |
| For additional technical details, see the | ||
| [Service Account Signing Key Retrieval KEP](https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190730-oidc-discovery.md) | ||
| and | ||
| [OIDC Discovery Spec](https://openid.net/specs/openid-connect-discovery-1_0.html). |
There was a problem hiding this comment.
These could (I think should) move into the whatsnext capture.
|
For tech review. /lgtm |
k8s-ci-robot
added
the
lgtm
k8s-ci-robot
removed
the
lgtm
| JSON Web Key Set (JWKS) at `/openid/v1/jwks`. The OpenID Provider Configuration | ||
| is sometimes referred to as the _discovery document_. | ||
|
|
||
| When enabled, the cluster is also configured with a default RBAC `ClusterRole` |
There was a problem hiding this comment.
nit:
| When enabled, the cluster is also configured with a default RBAC `ClusterRole` | |
| When enabled, the cluster is also configured with a default RBAC ClusterRole |
In the docs, API objects don't go inside backticks.
k8s-ci-robot
added
the
lgtm
k8s-ci-robot
removed
the
lgtm
k8s-ci-robot
added
the
lgtm
|
@VineethReddy02 is docs lead for the v1.18 release |
|
/assign @VineethReddy02 |
|
👋 Please rebase this PR on Feel free to /hold |
k8s-ci-robot
added
the
do-not-merge/hold
| and then enabling the Service Account Token Projection feature as described above. | ||
|
|
||
| {{< note >}} | ||
| Note that the issuer URL must comply with the |
There was a problem hiding this comment.
| Note that the issuer URL must comply with the | |
| The issuer URL must comply with the |
The shortcode {{< note >}} already marks this as a note.
| See also the | ||
| [Cluster Admin Guide to Service Accounts](/docs/reference/access-authn-authz/service-accounts-admin/). | ||
| See also: | ||
| - [Cluster Admin Guide to Service Accounts](/docs/reference/access-authn-authz/service-accounts-admin/) |
There was a problem hiding this comment.
Add a blank line before this list to keep the Markdown parser happy.
|
|
||
| The Service Account Issuer Discovery feature is enabled by enabling the | ||
| `ServiceAccountIssuerDiscovery` [feature gate](/docs/reference/command-line-tools-reference/feature) | ||
| and then enabling the Service Account Token Projection feature as described above. |
There was a problem hiding this comment.
nit:
| and then enabling the Service Account Token Projection feature as described above. | |
| and then enabling the Service Account Token Projection feature as described [above](#service-account-token-volume-projection). |
|
Hi, @mtaufen As today is the deadline for docs placeholder PR to be ready for review state? Can we have all the requested changes to the PR sometime soon? |
Extends the documentation on configuring service accounts to include details on the ServiceAccountIssuerDiscovery feature.
k8s-ci-robot
removed
the
lgtm
|
/hold cancel @VineethReddy02 all requested changes have been made. |
k8s-ci-robot
removed
the
do-not-merge/hold
k8s-ci-robot
added
the
lgtm
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: VineethReddy02 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
Extends the documentation on configuring service accounts to include
details on the ServiceAccountIssuerDiscovery feature.
/cc @VineethReddy02 @liggitt @mikedanese