Update ServiceAccountTokenJTI, ServiceAccountTokenPodNodeInfo, ServiceAccountTokenNodeBindingValidation to stable

2024-10-31 16:23:09 +08:00 · 2024-10-31 16:23:09 +08:00 · 2aca56ea10
parent d8e00ce4bf
commit 2aca56ea10
4 changed files with 15 additions and 4 deletions
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates/service-account-token-jti.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates/service-account-token-jti.md
@ -13,6 +13,10 @@ stages:
  - stage: beta
    defaultValue: true
    fromVersion: "1.30"
+    toVersion: "1.31"
+  - stage: stable
+    defaultValue: true
+    fromVersion: "1.32"
 ---
 Controls whether JTIs (UUIDs) are embedded into generated service account tokens,
 and whether these JTIs are recorded into the Kubernetes audit log for future requests made by these tokens.
--- a/content/en/docs/reference/command-line-tools-reference/feature-gates/service-account-token-node-binding-validation.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates/service-account-token-node-binding-validation.md
@ -13,6 +13,10 @@ stages:
  - stage: beta
    defaultValue: true
    fromVersion: "1.30"
+    toVersion: "1.31"
+  - stage: stable
+    defaultValue: true
+    fromVersion: "1.32"
 ---
 Controls whether the apiserver will validate a Node reference in service account tokens.

--- a/content/en/docs/reference/command-line-tools-reference/feature-gates/service-account-token-pod-node-info.md
+++ b/content/en/docs/reference/command-line-tools-reference/feature-gates/service-account-token-pod-node-info.md
@ -13,6 +13,10 @@ stages:
  - stage: beta
    defaultValue: true
    fromVersion: "1.30"
+    toVersion: "1.31"
+  - stage: stable
+    defaultValue: true
+    fromVersion: "1.32"
 ---
 Controls whether the apiserver embeds the node name and uid
 for the associated node when issuing service account tokens bound to Pod objects.
--- a/content/en/docs/tasks/configure-pod-container/configure-service-account.md
+++ b/content/en/docs/tasks/configure-pod-container/configure-service-account.md
@ -192,8 +192,7 @@ token might be shorter, or could even be longer).

 {{< feature-state feature_gate_name="ServiceAccountTokenNodeBinding" >}}

-When the `ServiceAccountTokenNodeBinding` and `ServiceAccountTokenNodeBindingValidation`
-features are enabled, and using `kubectl` v1.31 or later, it is possible to create a service 
+Using `kubectl` v1.31 or later, it is possible to create a service 
 account token that is directly bound to a Node:

 ```shell
@ -437,10 +436,10 @@ The JSON payload of this token follows a well defined schema - an example payloa
  "exp": 1731613413,
  "iat": 1700077413,
  "iss": "https://kubernetes.default.svc",  # matches the first value passed to the --service-account-issuer flag
-  "jti": "ea28ed49-2e11-4280-9ec5-bc3d1d84661a",  # ServiceAccountTokenJTI feature must be enabled for the claim to be present
+  "jti": "ea28ed49-2e11-4280-9ec5-bc3d1d84661a", 
  "kubernetes.io": {
    "namespace": "kube-system",
-    "node": {  # ServiceAccountTokenPodNodeInfo feature must be enabled for the API server to add this node reference claim
+    "node": {
      "name": "127.0.0.1",
      "uid": "58456cb0-dd00-45ed-b797-5578fdceaced"
    },