kops/docs/operations/service_account_token_volumes.md

Some services, such as istio and Envoy's Secrect Discovery Service (SDS), take advantage of a new feature in kubernetes 1.13+, Service Account Token Volume Projection.

1. In order to enable this feature for kubernetes 1.12+, add the following config to your cluster spec:

    kubeAPIServer:
        apiAudiences:
        - api
        - istio-ca
        serviceAccountIssuer: kubernetes.default.svc
        serviceAccountKeyFile:
        - /srv/kubernetes/server.key
        serviceAccountSigningKeyFile: /srv/kubernetes/server.key