kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #11642 from olemarkus/docs-satv 

Update the service account issuer discovery documentation
This commit is contained in:
Kubernetes Prow Robot 2021-05-31 08:52:26 -07:00 committed by GitHub
parent 77b1bfcdfb 2657c9bdc8
commit ef43708cac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
docs/operations/service_account_token_volumes.md
View File

@ -1,12 +1,3 @@
Some services, such as Istio and Envoy's Secret Discovery Service (SDS), take advantage of a new feature in Kubernetes 1.12+, [Service Account Token Volume Projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection).
1. In order to enable this feature for Kubernetes 1.12+, add the following config to your cluster spec:
```yaml
kubeAPIServer:
apiAudiences:
- api
- istio-ca
serviceAccountIssuer: kubernetes.default.svc
```
As of kOps 1.20, the API servers will have the ServiceAccount issuers configured correctly and you should not do any custom configuration. The API server will be used for discovery by default. As of kOps 1.21, you can also publish issuer discovery metadata publically. See [the relevant section in the cluster spec](/cluster_spec/#service-account-issuer-discovery-and-aws-iam-roles-for-service-accounts-irsa).