update KEP 740

[HarshalNeelkamal]

• One-line PR description: Update KEP for External ServiceAccount JWT signing

• Issue link: API for external signing of Service Account tokens #740

• Other comments:

  • The KEP was marked provisional in KEP-740: fix incorrect status #3653 due to being stale for over 3 years.
  • This PR attempts to bring the KEP up to speed with recent changes.
  • The intention is that underlying implementation can be picked back up.
  • A consensus regarding external JWT signing was achieved in the community (as documented here)

[k8s-ci-robot]

Welcome @HarshalNeelkamal!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @HarshalNeelkamal. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ahmedtd]

One high-level point of discussion... does this need any feature gates? It seems like it is explicitly controlled by a kube-apiserver flag, so there's no point in additionally adding a feature gate.

[HarshalNeelkamal]

/cc @liggitt @enj @micahhausler

[dims]

/ok-to-test

[enj]

First pass.

[enj]

Need to fill out this section. Maybe we would want some part of this in the kube audit logs?

[HarshalNeelkamal]

Waiting until beta to release to fill it out. Let me know if you think we need it sooner?

[HarshalNeelkamal]

have filled the parts that I could. Would add the remaining after starting implementation. Might need benchmarking on SLIs.

[BenTheElder]

#740 (comment)
/assign @soltysh

[soltysh]

A few minor nits from PRR

[soltysh]

the PRR for alpha looks good
/approve

[liggitt]

no change needed, just FYI, but integration tests will be way easier to test... to configure this for an e2e, we'd have to set up a completely new job with the cluster configured this way

See the KMS e2e tests:

• Their own job config: https://github.com/kubernetes/test-infra/blob/master/config/jobs/kubernetes/sig-auth/sig-auth-encryption-at-rest.yaml
• Their own e2e setup: https://github.com/kubernetes/kubernetes/blob/master/test/e2e/testing-manifests/auth/encrypt/run-e2e.sh
• Their own buildable binary mock provider: https://github.com/kubernetes/kubernetes/tree/master/staging/src/k8s.io/kms/internal/plugins/_mock

[HarshalNeelkamal]

Ack

[enj]

I would still expect an e2e like the encrypt-all-kind one to exercise all the wiring, but I would expect ~95% of the testing to be done via unit/integration tests.

[liggitt]

once you do the final sweep, also run hack/update-toc.sh to fixup to table of contents to pass the verify script

[enj]

Second pass.

[enj]

Please be more specific.

[enj]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: enj, HarshalNeelkamal, soltysh

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS [soltysh]
• keps/sig-auth/OWNERS [enj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment