Merge pull request #61541 from bergerhoffer/OCPBUGS-13226

bergerhoffer · web-flow · commit 68c0d74ce65a · 2023-07-27T10:48:26.000-04:00
OCPBUGS 13226: Updating info on auto generated service account token …
diff --git a/authentication/using-service-accounts-in-applications.adoc b/authentication/using-service-accounts-in-applications.adoc
@@ -10,11 +10,11 @@ include::modules/service-accounts-overview.adoc[leveloffset=+1]
 
 include::modules/service-accounts-default.adoc[leveloffset=+1]
 
-// remove these links for 4.12+
+include::modules/service-account-auto-secret-removed.adoc[leveloffset=+2]
 
 .Additional resources
 
-* For information about requesting bound service account tokens, see xref:../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Configuring bound service account tokens using volume projection]
+* For information about requesting bound service account tokens, see xref:../authentication/bound-service-account-tokens.adoc#bound-sa-tokens-configuring_bound-service-account-tokens[Configuring bound service account tokens using volume projection].
 
 * For information about creating a service account token secret, see xref:../nodes/pods/nodes-pods-secrets.adoc#nodes-pods-secrets-creating-sa_nodes-pods-secrets[Creating a service account token secret].
 
diff --git a/modules/nodes-pods-secrets-about.adoc b/modules/nodes-pods-secrets-about.adoc
@@ -84,7 +84,3 @@ For examples of different secret types, see the code samples in _Using Secrets_.
 == Secret data keys
 
 Secret keys must be in a DNS subdomain.
-
-// remove this snippet for 4.12+
-
-include::snippets/service-account-auto-secret-removed.adoc[]
diff --git a/modules/service-account-auto-secret-removed.adoc b/modules/service-account-auto-secret-removed.adoc
@@ -0,0 +1,29 @@
+// Module included in the following assemblies:
+//
+// * authentication/using-service-accounts-in-applications.adoc
+// * pods/nodes-pods-secrets.adoc
+
+:_content-type: CONCEPT
+[id="auto-generated-sa-token-secrets_{context}"]
+= About automatically generated service account token secrets
+
+When a service account is created, a service account token secret is automatically generated for it. This service account token secret, along with an automatically generated docker configuration secret, is used to authenticate to the internal {product-title} registry. Do not rely on these automatically generated secrets for your own use; they might be removed in a future {product-title} release.
+
+[NOTE]
+====
+Prior to {product-title} 4.11, a second service account token secret was generated when a service account was created. This service account token secret was used to access the Kubernetes API.
+
+Starting with {product-title} 4.11, this second service account token secret is no longer created. This is because the `LegacyServiceAccountTokenNoAutoGeneration` upstream Kubernetes feature gate was enabled, which stops the automatic generation of secret-based service account tokens to access the Kubernetes API.
+
+After upgrading to {product-version}, any existing service account token secrets are not deleted and continue to function.
+====
+
+Workloads are automatically injected with a projected volume to obtain a bound service account token. If your workload needs an additional service account token, add an additional projected volume in your workload manifest. Bound service account tokens are more secure than service account token secrets for the following reasons:
+
+* Bound service account tokens have a bounded lifetime.
+* Bound service account tokens contain audiences.
+* Bound service account tokens can be bound to pods or secrets and the bound tokens are invalidated when the bound object is removed.
+
+For more information, see _Configuring bound service account tokens using volume projection_.
+
+You can also manually create a service account token secret to obtain a token, if the security exposure of a non-expiring token in a readable API object is acceptable to you. For more information, see _Creating a service account token secret_.
diff --git a/modules/service-accounts-default.adoc b/modules/service-accounts-default.adoc
@@ -71,7 +71,3 @@ viewing and modifying replication controllers and pods in the project.
 All service accounts in a project are given the `system:image-puller` role,
 which allows pulling images from any imagestream in the project using the
 internal container image registry.
-
-// remove this snippet for 4.12+
-
-include::snippets/service-account-auto-secret-removed.adoc[]
diff --git a/nodes/pods/nodes-pods-secrets.adoc b/nodes/pods/nodes-pods-secrets.adoc
@@ -10,14 +10,9 @@ Some applications need sensitive information, such as passwords and user names,
 
 As an administrator, you can use `Secret` objects to provide this information without exposing that information in clear text.
 
-// The following include statements pull in the module files that comprise
-// the assembly. Include any combination of concept, procedure, or reference
-// modules required to cover the user story. You can also include other
-// assemblies.
-
 include::modules/nodes-pods-secrets-about.adoc[leveloffset=+1]
 
-// remove these links for 4.12+
+include::modules/service-account-auto-secret-removed.adoc[leveloffset=+2]
 
 .Additional resources
 
diff --git a/snippets/service-account-auto-secret-removed.adoc b/snippets/service-account-auto-secret-removed.adoc
