Skip to content

Commit d40d91e

Browse files
authored
Merge pull request #4892 from liggitt/4193-1.32
KEP-4193: stable updates for 1.32
2 parents 51bb92d + c773a5f commit d40d91e

File tree

3 files changed

+11
-8
lines changed

3 files changed

+11
-8
lines changed

keps/prod-readiness/sig-auth/4193.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,3 +3,5 @@ alpha:
33
approver: "deads2k"
44
beta:
55
approver: "@deads2k"
6+
stable:
7+
approver: "@deads2k"

keps/sig-auth/4193-bound-service-account-token-improvements/README.md

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -54,9 +54,9 @@ Items marked with (R) are required *prior to targeting to a milestone / release*
5454
- [ ] (R) Minimum Two Week Window for GA e2e tests to prove flake free
5555
- [x] (R) Graduation criteria is in place
5656
- [ ] (R) [all GA Endpoints](https://github.com/kubernetes/community/pull/1806) must be hit by [Conformance Tests](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/conformance-tests.md)
57-
- [ ] (R) Production readiness review completed
58-
- [ ] (R) Production readiness review approved
59-
- [ ] "Implementation History" section is up-to-date for milestone
57+
- [x] (R) Production readiness review completed
58+
- [x] (R) Production readiness review approved
59+
- [x] "Implementation History" section is up-to-date for milestone
6060
- [ ] User-facing documentation has been created in [kubernetes/website], for publication to [kubernetes.io]
6161
- [ ] Supporting documentation—e.g., additional design documents, links to mailing list discussions/SIG meetings, relevant PRs/issues, release notes
6262

@@ -494,7 +494,7 @@ New metrics that can be used to identify if the feature is in use:
494494

495495
###### Were upgrade and rollback tested? Was the upgrade->downgrade->upgrade path tested?
496496

497-
**For `ServiceAccountTokenJTI` feature (alpha v1.29, beta v1.30):**
497+
**For `ServiceAccountTokenJTI` feature (alpha v1.29, beta v1.30, GA v1.32):**
498498

499499
*Without* the feature gate enabled, issued service account tokens *will not* have their `jti` field set to a random UUID,
500500
and the audit log will not persist the issued credential identifier when issuing a token.
@@ -510,7 +510,7 @@ as part of the UserInfo in the audit event.
510510
As none of these fields are actually used for validating/verifying a token is valid, enabling & disabling the feature
511511
does not cause any adverse side effects.
512512

513-
**For `ServiceAccountTokenNodeBinding` (alpha v1.29, beta v1.31) and `ServiceAccountTokenNodeBindingValidation` (alpha v1.29, beta v1.30) feature:**
513+
**For `ServiceAccountTokenNodeBinding` (alpha v1.29, beta v1.31) and `ServiceAccountTokenNodeBindingValidation` (alpha v1.29, beta v1.30, GA v1.32) feature:**
514514

515515
*Without* the feature gate enabled, service account tokens that have been bound to Node objects will not have their
516516
node reference claims validated (to ensure the referenced node exists).
@@ -529,7 +529,7 @@ than `ServiceAccountTokenNodeBinding`.
529529

530530
Tokens that are bound to objects other than Nodes are unaffected.
531531

532-
**For `ServiceAccountTokenPodNodeInfo` feature (alpha v1.29, beta v1.30):**
532+
**For `ServiceAccountTokenPodNodeInfo` feature (alpha v1.29, beta v1.30, GA v1.32):**
533533

534534
*Without* the feature gate enabled, tokens that are bound to Pod objects will not include information about the Node
535535
that the pod is scheduled/assigned to.
@@ -699,6 +699,7 @@ For example, attempting to issue a node bound token, or attempting to authentica
699699
* Added restrictions to disallow enabling `ServiceAccountTokenNodeBinding` without `ServiceAccountTokenNodeBindingValidation`: https://github.com/kubernetes/kubernetes/pull/123135
700700
* `ServiceAccountTokenJTI`, `ServiceAccountTokenNodeBindingValidation` and `ServiceAccountTokenPodNodeInfo` promoted to beta for v1.30 release
701701
* Promoted `ServiceAccountTokenNodeBinding` promoted to beta for v1.31 release
702+
* Promoted `ServiceAccountTokenJTI`, `ServiceAccountTokenPodNodeInfo`, `ServiceAccountTokenNodeBindingValidation` to stable for v1.32 release
702703

703704
<!--
704705
Major milestones in the lifecycle of a KEP should be tracked in this section.

keps/sig-auth/4193-bound-service-account-token-improvements/kep.yaml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,12 +18,12 @@ see-also: []
1818
replaces: []
1919

2020
# The target maturity stage in the current dev cycle for this KEP.
21-
stage: beta
21+
stage: stable
2222

2323
# The most recent milestone for which work toward delivery of this KEP has been
2424
# done. This can be the current (upcoming) milestone, if it is being actively
2525
# worked on.
26-
latest-milestone: "v1.31"
26+
latest-milestone: "v1.32"
2727

2828
# The milestone at which this feature was, or is targeted to be, at each stage.
2929
milestone:

0 commit comments

Comments
 (0)