Merge pull request kubernetes#3696 from zshihang/master

KEP-2799: update for LegacyServiceAccountTokenTracking beta

Author: k8s-ci-robot

keps/sig-auth/2799-reduction-of-secret-based-service-account-token/README.md

@@ -142,9 +142,8 @@ indicates if tracking is enabled in the cluster. It is similar to the existing
 
   - the controller creates/updates a configmap in `kube-system` namespace that
     stores the current date as `tracked-since`.
-  - when a legacy token is used, issue a warning, annotate/update the
-    `last-used` on the secret at date granularity, and record in a metric.
-    optionally, add a label `in-use` for fast query.
+  - when a legacy token is used, issue a warning, update the label `last-used`
+    on the secret at date granularity, and record in a metric.
 
 - When LegacyServiceAccountTokenTracking is disabled in any apiserver,
   - the controller ensures the configmap in `kube-system` namespace is deleted
@@ -235,10 +234,9 @@ legacy tokens for security practices.
 
 #### Alpha -> Beta Graduation
 
-- [ ] In use by multiple distributions
-- [ ] Approved by PRR and scalability
-- [ ] Any known bugs fixed
-- [ ] Tests passing
+- [x] Approved by PRR and scalability
+- [x] Any known bugs fixed
+- [x] Tests passing
 
 #### LegacyServiceAccountTokenCleanUp
 
@@ -255,7 +253,6 @@ legacy tokens for security practices.
 
 #### Alpha -> Beta Graduation
 
-- [ ] In use by multiple distributions
 - [ ] Approved by PRR and scalability
 - [ ] Any known bugs fixed
 - [ ] Tests passing
@@ -286,7 +283,7 @@ The only touches control plane, so version skew strategy is not applicable.
 ###### Does enabling the feature change any default behavior?
 
 - LegacyServiceAccountTokenNoAutoGeneration: no legacy tokens are auto-generated.
-- LegacyServiceAccountTokenTracking: legacy tokens would have new annotation and a configmap would be created in kube-system.
+- LegacyServiceAccountTokenTracking: legacy tokens would have new label and a configmap would be created in kube-system.
 - LegacyServiceAccountTokenCleanUp: unused auto-generated legacy tokens will be removed.
 
 ###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)?
@@ -299,7 +296,7 @@ yes for all feature gates.
   before the reenablement, Token Controller would create tokens for
   serviceaccounts while the feature was off.
 - LegacyServiceAccountTokenTracking: during this sequence of operations,
-  only the annotation `last-used` is persisted, but there is no impact on the
+  only the label `last-used` is persisted, but there is no impact on the
   functionality of this feature.
 - LegacyServiceAccountTokenCleanUp: the same as enable the feature.
 

keps/sig-auth/2799-reduction-of-secret-based-service-account-token/kep.yaml

@@ -13,10 +13,10 @@ reviewers:
 approvers:
   - "@liggitt"
 stage: beta
-latest-milestone: "v1.26"
+latest-milestone: "v1.27"
 milestone:
-  alpha: "v1.24"
-  beta: "v1.25"
+  beta: "v1.24"
+  stable: "v1.26"
 feature-gates:
   - name: LegacyServiceAccountTokenNoAutoGeneration
     components: