kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo, ServiceAccountTokenNodeBindingValidation to stable

This commit is contained in:
Mengjiao Liu 2024-10-31 16:23:09 +08:00
parent d8e00ce4bf
commit 2aca56ea10
4 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/en/docs/reference/command-line-tools-reference/feature-gates/service-account-token-jti.md
View File

@ -13,6 +13,10 @@ stages:
- stage: beta - stage: beta
defaultValue: true defaultValue: true
fromVersion: "1.30" fromVersion: "1.30"
toVersion: "1.31"
- stage: stable
defaultValue: true
fromVersion: "1.32"
--- ---
Controls whether JTIs (UUIDs) are embedded into generated service account tokens, Controls whether JTIs (UUIDs) are embedded into generated service account tokens,
and whether these JTIs are recorded into the Kubernetes audit log for future requests made by these tokens. and whether these JTIs are recorded into the Kubernetes audit log for future requests made by these tokens.

4
content/en/docs/reference/command-line-tools-reference/feature-gates/service-account-token-node-binding-validation.md
View File

@ -13,6 +13,10 @@ stages:
- stage: beta - stage: beta
defaultValue: true defaultValue: true
fromVersion: "1.30" fromVersion: "1.30"
toVersion: "1.31"
- stage: stable
defaultValue: true
fromVersion: "1.32"
--- ---
Controls whether the apiserver will validate a Node reference in service account tokens. Controls whether the apiserver will validate a Node reference in service account tokens.

4
content/en/docs/reference/command-line-tools-reference/feature-gates/service-account-token-pod-node-info.md
View File

@ -13,6 +13,10 @@ stages:
- stage: beta - stage: beta
defaultValue: true defaultValue: true
fromVersion: "1.30" fromVersion: "1.30"
toVersion: "1.31"
- stage: stable
defaultValue: true
fromVersion: "1.32"
--- ---
Controls whether the apiserver embeds the node name and uid Controls whether the apiserver embeds the node name and uid
for the associated node when issuing service account tokens bound to Pod objects. for the associated node when issuing service account tokens bound to Pod objects.

7
content/en/docs/tasks/configure-pod-container/configure-service-account.md
View File

@ -192,8 +192,7 @@ token might be shorter, or could even be longer).
{{< feature-state feature_gate_name="ServiceAccountTokenNodeBinding" >}} {{< feature-state feature_gate_name="ServiceAccountTokenNodeBinding" >}}
When the `ServiceAccountTokenNodeBinding` and `ServiceAccountTokenNodeBindingValidation` Using `kubectl` v1.31 or later, it is possible to create a service
features are enabled, and using `kubectl` v1.31 or later, it is possible to create a service
account token that is directly bound to a Node: account token that is directly bound to a Node:
```shell ```shell
@ -437,10 +436,10 @@ The JSON payload of this token follows a well defined schema - an example payloa
"exp": 1731613413, "exp": 1731613413,
"iat": 1700077413, "iat": 1700077413,
"iss": "https://kubernetes.default.svc", # matches the first value passed to the --service-account-issuer flag "iss": "https://kubernetes.default.svc", # matches the first value passed to the --service-account-issuer flag
"jti": "ea28ed49-2e11-4280-9ec5-bc3d1d84661a", # ServiceAccountTokenJTI feature must be enabled for the claim to be present "jti": "ea28ed49-2e11-4280-9ec5-bc3d1d84661a",
"kubernetes.io": { "kubernetes.io": {
"namespace": "kube-system", "namespace": "kube-system",
"node": { # ServiceAccountTokenPodNodeInfo feature must be enabled for the API server to add this node reference claim "node": {
"name": "127.0.0.1", "name": "127.0.0.1",
"uid": "58456cb0-dd00-45ed-b797-5578fdceaced" "uid": "58456cb0-dd00-45ed-b797-5578fdceaced"
}, },