Skip to content

feature: Enable cross-shard service account authentication #3510

New issue
New issue
Open
Feature
Open
feature: Enable cross-shard service account authentication#3510
Feature
Labels
kind/featureCategorizes issue or PR as related to a new feature.
Milestone
TBD
@mjudeikis

Description

@mjudeikis
mjudeikis
opened on Aug 4, 2025

Feature Description

Currently when using sharded setup and using ServiceAccounts, --service-account-lookup=false must be set. This is due to fact when trying to authenticate any service accounts requests for SubjectAccessReview are being generated towards root shard and secondary shards. Meaning if service account orginates from secondary shard - root shard will not be able to verify its existence and give "Rewoked" error.

This means one can't revoke service accounts in sharded setup.

Proposed Solution

We should create a machinery as POC'ed in PRs bellow to enable cross-shards service accounts lookups and checkins.

After this few things should be fixed:

  1. removal of --service-account-lookup=false flag. This is deprecated in upstream so we need to work on stop using it either way.
  2. Enable bindings to cross-shards/cross-workspaces service accounts enabling to grant access to non-native workspace service accounts.

Related to #3310 and #3274

Alternative Solutions

No response

Want to contribute?

  • I would like to work on this issue.

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.

    Type

    Feature

    Projects

    kcp

    Status

    New

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions