4.7 KiB
| api_metadata | content_type | description | title | weight | auto_generated | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
api_reference | TokenRequest requests a token for a given service account. | TokenRequest | 2 | true |
apiVersion: authentication.k8s.io/v1
import "k8s.io/api/authentication/v1"
TokenRequest
TokenRequest requests a token for a given service account.
-
apiVersion: authentication.k8s.io/v1
-
kind: TokenRequest
-
metadata (<a href="{{< ref "../common-definitions/object-meta#ObjectMeta" >}}">ObjectMeta)
-
spec (<a href="{{< ref "../authentication-resources/token-request-v1#TokenRequestSpec" >}}">TokenRequestSpec), required
-
status (<a href="{{< ref "../authentication-resources/token-request-v1#TokenRequestStatus" >}}">TokenRequestStatus)
TokenRequestSpec
TokenRequestSpec contains client provided parameters of a token request.
-
audiences ([]string), required
Audiences are the intendend audiences of the token. A recipient of a token must identitfy themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.
-
boundObjectRef (BoundObjectReference)
BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.
BoundObjectReference is a reference to an object that a token is bound to.
-
boundObjectRef.apiVersion (string)
API version of the referent.
-
boundObjectRef.kind (string)
Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
-
boundObjectRef.name (string)
Name of the referent.
-
boundObjectRef.uid (string)
UID of the referent.
-
-
expirationSeconds (int64)
ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.
TokenRequestStatus
TokenRequestStatus is the result of a token request.
-
expirationTimestamp (Time), required
ExpirationTimestamp is the time of expiration of the returned token.
Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
-
token (string), required
Token is the opaque bearer token.
Operations
create create token of a ServiceAccount
HTTP Request
POST /api/v1/namespaces/{namespace}/serviceaccounts/{name}/token
Parameters
-
name (in path): string, required
name of the TokenRequest
-
namespace (in path): string, required
<a href="{{< ref "../common-parameters/common-parameters#namespace" >}}">namespace
-
body: <a href="{{< ref "../authentication-resources/token-request-v1#TokenRequest" >}}">TokenRequest, required
-
dryRun (in query): string
<a href="{{< ref "../common-parameters/common-parameters#dryRun" >}}">dryRun
-
fieldManager (in query): string
<a href="{{< ref "../common-parameters/common-parameters#fieldManager" >}}">fieldManager
-
pretty (in query): string
<a href="{{< ref "../common-parameters/common-parameters#pretty" >}}">pretty
Response
200 (<a href="{{< ref "../authentication-resources/token-request-v1#TokenRequest" >}}">TokenRequest): OK
201 (<a href="{{< ref "../authentication-resources/token-request-v1#TokenRequest" >}}">TokenRequest): Created
202 (<a href="{{< ref "../authentication-resources/token-request-v1#TokenRequest" >}}">TokenRequest): Accepted
401: Unauthorized