kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Update content/en/docs/reference/access-authn-authz/service-accounts-admin.md 

Co-authored-by: Tim Bannister <tim@scalefactory.com>
pull/41156/head
Dave Protasowski 2023-05-23 13:16:26 -04:00 committed by GitHub
parent eb21c7af96
commit f023295351
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/en/docs/reference/access-authn-authz/service-accounts-admin.md
View File

@ -98,8 +98,8 @@ each source also represents a single path within that volume. The three sources
1. A `serviceAccountToken` source, that contains a token that the kubelet acquires from kube-apiserver.
The kubelet fetches time-bound tokens using the TokenRequest API. A token served for a TokenRequest expires
either when the pod is deleted or after a defined lifespan (by default, that is 1 hour). The token
will be refreshed by the kubelet prior to expiry.
either when the pod is deleted or after a defined lifespan (by default, that is 1 hour).
The kubelet also refreshes that token before the token expires.
The token is bound to the specific Pod and has the kube-apiserver as its audience.
This mechanism superseded an earlier mechanism that added a volume based on a Secret,
where the Secret represented the ServiceAccount for the Pod, but did not expire.