The Service Account Token Volume Projection feature of Kubernetes allows projection of time and audience-bound service account tokens into Pods. This feature is used by some applications to enhance security when using service accounts (e.g. Istio uses it by default as of version v1.3).
As of KKP version v2.16, KKP supports Service Account Token Volume Projection as follows:
TokenRequest
and TokenRequestProjection
Kubernetes feature gates have to be enabled (enabled by default since
Kubernetes v1.11 and v1.12 respectively).
In KKP v2.16, the Service Account Token Volume Projection feature can be configured only via KKP API.
The Cluster
API object provides the serviceAccount
field of the ServiceAccountSettings
type, with the following definition:
"ServiceAccountSettings": {
"type": "object",
"properties": {
"tokenVolumeProjectionEnabled": {
"type": "boolean",
"x-go-name": "TokenVolumeProjectionEnabled"
},
"issuer": {
"description": "Issuer is the identifier of the service account token issuer. If this is not specified, it will be set to the URL of apiserver by default",
"type": "string",
"x-go-name": "Issuer"
},
"apiAudiences": {
"description": "APIAudiences are the Identifiers of the API. If this is not specified, it will be set to a single element list containing the issuer URL",
"type": "array",
"items": {
"type": "string"
},
"x-go-name": "APIAudiences"
}
},
"x-go-package": "k8c.io/kubermatic/v2/pkg/crd/kubermatic/v1"
}
The following table summarizes the supported properties of the ServiceAccountSettings
object:
Property | Description | Default Value |
---|---|---|
tokenVolumeProjectionEnabled | Enables the Service Account Token Volume Projection feature. | false for clusters with Kubernetes version below v1.20, true for clusters with Kubernetes v1.20+. |
issuer | Identifier of the service account token issuer. The issuer will assert this identifier in iss claim of issued tokens. | The URL of the apiserver, e.g., https://<api-server-address:port> . |
apiAudiences | Identifiers of the API. The service account token authenticator will validate that tokens used against the API are bound to at least one of these audiences. Multiple audiences can be separated by comma (, ). | Equal to issuer . |
To configure the feature in an existing cluster, execute a PATCH
request to URL:
https://<your-kubermatic-domain>/api/v1/projects/<project-id>/dc/<datacenter-name>/clusters/<cluster-id>
with the following content:
{
"spec": {
"serviceAccount": {
"tokenVolumeProjectionEnabled": true
}
}
}
You can use the Swagger UI at https://<your-kubermatic-domain>/rest-api
to construct and send the API request.
Alternatively, the feature can be also configured via the Cluster
Custom Resource in the KKP seed cluster.
For example, to enable the feature in an existing cluster via kubectl, edit the Cluster
CR with
kubectl edit cluster <cluster-id>
and add the following configuration:
spec:
serviceAccount:
tokenVolumeProjectionEnabled: true