1837914d8e
Automatic merge from submit-queue Enable service account signing key rotation fixes #21007 ```release-note The kube-apiserver --service-account-key-file option can be specified multiple times, or can point to a file containing multiple keys, to enable rotation of signing keys. ``` This PR enables the apiserver authenticator to verify service account tokens signed by different private keys. This can be done two different ways: * including multiple keys in the specified keyfile (e.g. `--service-account-key-file=keys.pem`) * specifying multiple key files (e.g. `--service-account-key-file current-key.pem --service-account-key-file=old-key.pem`) This is part of enabling signing key rotation: 1. update apiserver(s) to verify tokens signed with a new public key while still allowing tokens signed with the current public key (which is what this PR enables) 2. give controllermanager the new private key to sign new tokens with 3. remove old service account tokens (determined by verifying signature or by checking creationTimestamp) once they are no longer in use (determined using garbage collection or magic) or some other algorithm (24 hours after rotation, etc). For the deletion to immediately revoke the token, `--service-account-lookup` must be enabled on the apiserver. 4. once all old tokens are gone, update apiservers again, removing the old public key. |
||
|---|---|---|
| .. | ||
| app | ||
| apiserver.go | ||
| OWNERS | ||