kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #25969 from ydFu/add-code-blocks-in-configure-service-account 

Add Code blocks in configure-service-account.md
pull/25979/head
Kubernetes Prow Robot 2021-01-06 07:37:52 -08:00 committed by GitHub
parent d897a03b38 8a479c01e8
commit 8fea26ecba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
content/en/docs/tasks/configure-pod-container/configure-service-account.md
View File

@ -82,6 +82,7 @@ You can list this and any other serviceAccount resources in the namespace with t
```shell
kubectl get serviceaccounts
```
The output is similar to this:
```
@ -108,9 +109,10 @@ If you get a complete dump of the service account object, like this:
```shell
kubectl get serviceaccounts/build-robot -o yaml
```
The output is similar to this:
```
```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
@ -164,6 +166,7 @@ Any tokens for non-existent service accounts will be cleaned up by the token con
```shell
kubectl describe secrets/build-robot-secret
```
The output is similar to this:
```
@ -227,7 +230,7 @@ kubectl get serviceaccounts default -o yaml > ./sa.yaml
The output of the `sa.yaml` file is similar to this:
```shell
```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
@ -244,7 +247,7 @@ Using your editor of choice (for example `vi`), open the `sa.yaml` file, delete
The output of the `sa.yaml` file is similar to this:
```shell
```yaml
apiVersion: v1
kind: ServiceAccount
metadata:
@ -319,7 +322,8 @@ kubectl create -f https://k8s.io/examples/pods/pod-projected-svc-token.yaml
```
The kubelet will request and store the token on behalf of the pod, make the
token available to the pod at a configurable file path, and refresh the token as it approaches expiration. Kubelet proactively rotates the token if it is older than 80% of its total TTL, or if the token is older than 24 hours.
token available to the pod at a configurable file path, and refresh the token as it approaches expiration.
The kubelet proactively rotates the token if it is older than 80% of its total TTL, or if the token is older than 24 hours.
The application is responsible for reloading the token when it rotates. Periodic reloading (e.g. once every 5 minutes) is sufficient for most use cases.
@ -380,7 +384,6 @@ JWKS URI is required to use the `https` scheme.
## {{% heading "whatsnext" %}}
See also:
- [Cluster Admin Guide to Service Accounts](/docs/reference/access-authn-authz/service-accounts-admin/)