diff --git a/content/en/docs/reference/access-authn-authz/service-accounts-admin.md b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md index 820b9b6ccaa..7cd08a8a6cc 100644 --- a/content/en/docs/reference/access-authn-authz/service-accounts-admin.md +++ b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md @@ -56,15 +56,21 @@ It acts synchronously to modify pods as they are created or updated. When this p 1. If the pod does not have a `ServiceAccount` set, it sets the `ServiceAccount` to `default`. 1. It ensures that the `ServiceAccount` referenced by the pod exists, and otherwise rejects it. -1. It adds a `volume` to the pod which contains a token for API access if neither the ServiceAccount `automountServiceAccountToken` nor the Pod's `automountServiceAccountToken` is set to `false`. -1. It adds a `volumeSource` to each container of the pod mounted at `/var/run/secrets/kubernetes.io/serviceaccount`, if the previous step has created a volume for ServiceAccount token. -1. If the pod does not contain any `imagePullSecrets`, then `imagePullSecrets` of the `ServiceAccount` are added to the pod. +1. It adds a `volume` to the pod which contains a token for API access if neither the + ServiceAccount `automountServiceAccountToken` nor the Pod's `automountServiceAccountToken` + is set to `false`. +1. It adds a `volumeSource` to each container of the pod mounted at + `/var/run/secrets/kubernetes.io/serviceaccount`, if the previous step has created a volume + for the ServiceAccount token. +1. If the pod does not contain any `imagePullSecrets`, then `imagePullSecrets` of the + `ServiceAccount` are added to the pod. #### Bound Service Account Token Volume {{< feature-state for_k8s_version="v1.22" state="stable" >}} -The ServiceAccount admission controller will add the following projected volume instead of a Secret-based volume for the non-expiring service account token created by Token Controller. +The ServiceAccount admission controller will add the following projected volume instead of a +Secret-based volume for the non-expiring service account token created by the Token controller. ```yaml - name: kube-api-access- @@ -89,9 +95,11 @@ The ServiceAccount admission controller will add the following projected volume This projected volume consists of three sources: -1. A ServiceAccountToken acquired from kube-apiserver via TokenRequest API. It will expire after 1 hour by default or when the pod is deleted. It is bound to the pod and has kube-apiserver as the audience. -1. A ConfigMap containing a CA bundle used for verifying connections to the kube-apiserver. This feature depends on the `RootCAConfigMap` feature gate, which publishes a "kube-root-ca.crt" ConfigMap to every namespace. `RootCAConfigMap` feature gate is graduated to GA in 1.21 and default to true. (This flag will be removed from --feature-gate arg in 1.22) -1. A DownwardAPI that references the namespace of the pod. +1. A `serviceAccountToken` acquired from kube-apiserver via TokenRequest API. It will expire + after 1 hour by default or when the pod is deleted. It is bound to the pod and it has + its audience set to match the audience of the `kube-apiserver`. +1. A `configMap` containing a CA bundle used for verifying connections to the kube-apiserver. +1. A `downwardAPI` that references the namespace of the pod. See more details about [projected volumes](/docs/tasks/configure-pod-container/configure-projected-volume-storage/). @@ -150,3 +158,4 @@ kubectl delete secret mysecretname A ServiceAccount controller manages the ServiceAccounts inside namespaces, and ensures a ServiceAccount named "default" exists in every active namespace. +