kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix --service-account-key-file description 

--service-account-key-file flag to the kube-api-server is used to verify ServiceAccount tokens (and not to sign them).

--service-account-signing-key-file is the kube-api-server flag that's used to sign ServiceAccount tokens (short-lived ones).
--service-account-private-key-file is the kube-controller-manager flag that's used to sign ServiceAccount tokens (long-lived ones).
pull/35553/head
Rohit Agarwal 2022-07-29 17:57:38 -07:00 committed by Rohit Agarwal
parent 919305327c
commit 4747731407
No known key found for this signature in database
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
content/en/docs/reference/access-authn-authz/authentication.md
View File

@ -171,8 +171,10 @@ how to manage these tokens with `kubeadm`.
A service account is an automatically enabled authenticator that uses signed
bearer tokens to verify requests. The plugin takes two optional flags:
* `--service-account-key-file` A file containing a PEM encoded key for signing bearer tokens.
If unspecified, the API server's TLS private key will be used.
* `--service-account-key-file` File containing PEM-encoded x509 RSA or ECDSA
private or public keys, used to verify ServiceAccount tokens. The specified file
can contain multiple keys, and the flag can be specified multiple times with
different files. If unspecified, --tls-private-key-file is used.
* `--service-account-lookup` If enabled, tokens which are deleted from the API will be revoked.
Service accounts are usually created automatically by the API server and