From f023295351c18bbd1ba49091a4fe80639e3c89a4 Mon Sep 17 00:00:00 2001 From: Dave Protasowski Date: Tue, 23 May 2023 13:16:26 -0400 Subject: [PATCH] Update content/en/docs/reference/access-authn-authz/service-accounts-admin.md Co-authored-by: Tim Bannister --- .../reference/access-authn-authz/service-accounts-admin.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/en/docs/reference/access-authn-authz/service-accounts-admin.md b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md index cef4b2bb7e..d799738496 100644 --- a/content/en/docs/reference/access-authn-authz/service-accounts-admin.md +++ b/content/en/docs/reference/access-authn-authz/service-accounts-admin.md @@ -98,8 +98,8 @@ each source also represents a single path within that volume. The three sources 1. A `serviceAccountToken` source, that contains a token that the kubelet acquires from kube-apiserver. The kubelet fetches time-bound tokens using the TokenRequest API. A token served for a TokenRequest expires - either when the pod is deleted or after a defined lifespan (by default, that is 1 hour). The token - will be refreshed by the kubelet prior to expiry. + either when the pod is deleted or after a defined lifespan (by default, that is 1 hour). + The kubelet also refreshes that token before the token expires. The token is bound to the specific Pod and has the kube-apiserver as its audience. This mechanism superseded an earlier mechanism that added a volume based on a Secret, where the Secret represented the ServiceAccount for the Pod, but did not expire.