Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

serviceaccount admission: return correct tokens #44102

Merged
merged 1 commit into from
Apr 5, 2017
Merged

serviceaccount admission: return correct tokens #44102

merged 1 commit into from
Apr 5, 2017

Conversation

ncdc
Copy link
Member

@ncdc ncdc commented Apr 5, 2017
edited by enisoc
Loading

Fix a bug in serviceaccount admission introduced when we switched
everything to use shared informers. That change accidentally reused the
list of secrets instead of creating a new one, resulting in all secrets
in the namespace being returned as possible service account tokens,
instead of limiting it only to the actual service account tokens, as it
did before the shared informer conversion. This also adds a unit test to
ensure there is no future regression here.

This will need to be cherry-picked to 1.6.

What this PR does / why we need it:

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

Release note:

Fixed an issue mounting the wrong secret into pods as a service account token.

cc @smarterclayton @liggitt @sttts @derekwaynecarr @calebamiles @ethernetdan @eparis

serviceaccount admission: return correct tokens
9f95cf7 
Fix a bug in serviceaccount admission introduced when we switched
everything to use shared informers. That change accidentally reused the
list of secrets instead of creating a new one, resulting in all secrets
in the namespace being returned as possible service account tokens,
instead of limiting it only to the actual service account tokens, as it
did before the shared informer conversion. This also adds a unit test to
ensure there is no future regression here.
@ncdc ncdc added area/admission-control cherrypick-candidate kind/bug Categorizes issue or PR as related to a bug. release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Apr 5, 2017
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Apr 5, 2017
@k8s-github-robot k8s-github-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Apr 5, 2017
@k8s-reviewable
Copy link

This change is Reviewable

@liggitt liggitt added this to the v1.6 milestone Apr 5, 2017
@k8s-cherrypick-bot
Copy link

Removing label cherrypick-candidate because no release milestone was set. This is an invalid state and thus this PR is not being considered for cherry-pick to any release branch. Please add an appropriate release milestone and then re-add the label.

@liggitt
Copy link
Member

liggitt commented Apr 5, 2017

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 5, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, ncdc

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 5, 2017
@ncdc
Copy link
Member Author

ncdc commented Apr 5, 2017

@k8s-bot non-cri e2e test this #43977

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit dbcfdb3 into kubernetes:master Apr 5, 2017
@ncdc ncdc mentioned this pull request Apr 5, 2017
Merged
k8s-github-robot pushed a commit that referenced this pull request Apr 6, 2017
Merge pull request #44110 from ncdc/automated-cherry-pick-of-#44102-u…
0b166df 
…pstream-release-1.6

Automatic merge from submit-queue

Automated cherry pick of #44102

Cherry pick of #44102 on release-1.6.

#44102: serviceaccount admission: return correct tokens
@k8s-cherrypick-bot
Copy link

Commit found in the "release-1.6" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked.

@liggitt liggitt mentioned this pull request Apr 6, 2017
Merged
13 tasks
@ncdc ncdc deleted the fix-serviceaccount-token-admission branch April 18, 2017 18:01
@redbaron redbaron mentioned this pull request Apr 20, 2017
Closed
mintzhao pushed a commit to mintzhao/kubernetes that referenced this pull request Jun 1, 2017
Merge pull request kubernetes#44110 from ncdc/automated-cherry-pick-o…
ef6e61e 
…f-#44102-upstream-release-1.6

Automatic merge from submit-queue

Automated cherry pick of kubernetes#44102

Cherry pick of kubernetes#44102 on release-1.6.

kubernetes#44102: serviceaccount admission: return correct tokens
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/admission-control cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.6
Development

Successfully merging this pull request may close these issues.
6 participants
@ncdc @k8s-reviewable @k8s-cherrypick-bot @liggitt @k8s-github-robot @k8s-ci-robot