You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: AKS-Arc/aks-edge-howto-key-manager.md
+4-6Lines changed: 4 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to use the Key Manager for Kubernetes extension to rotate
4
4
ms.topic: how-to
5
5
author: sethmanheim
6
6
ms.author: sethm
7
-
ms.date: 02/24/2025
7
+
ms.date: 02/27/2025
8
8
ms.reviewer: leslielin
9
9
---
10
10
@@ -53,10 +53,8 @@ Before you begin, ensure you have the following prerequisites:
53
53
54
54
`trust-manager` is used to distribute a trust bundle to components.
55
55
56
-
- The key manager extension only works with [bounded service account tokens](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#manual-secret-management-for-serviceaccounts). It doesn't support legacy tokens with infinite lifetimes. If your workflow relies on legacy tokens, do not install this extension.
57
-
- Bounded service account tokens have a default lifetime of one year. To rotate these tokens, this lifetime should be reduced to one day, which ensures that tokens are rapidly reissued and signed with newly rotated keys. To implement these changes, you must modify the `api-server` configuration as follows.
58
-
59
-
Run the following commands:
56
+
- The Key Manager extension only works with [bounded service account tokens](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#manual-secret-management-for-serviceaccounts). It doesn't support legacy tokens with infinite lifetimes. If your workflow relies on legacy tokens, do not install this extension.
57
+
- Bounded service account tokens have a default lifetime of one year. To rotate these tokens, this lifetime should be reduced to one day, which ensures that tokens are rapidly reissued and signed with newly rotated keys. To implement these changes, you must modify the `api-server` configuration by running the following commands:
@@ -70,7 +68,7 @@ Before you begin, ensure you have the following prerequisites:
70
68
## Install the Key Manager for Kubernetes extension for service account key rotation
71
69
72
70
> [!IMPORTANT]
73
-
> After you install the key manager, the `api-server` is updated with the new service account token during token rotation. This process briefly makes the API server inaccessible as it restarts.
71
+
> After you install the Key Manager extension, the `api-server` is updated with the new service account token during token rotation. This process briefly makes the API server inaccessible while it restarts.
74
72
75
73
Now run the following commands. Replace the variables with your specific resource group name and AKS cluster name:
0 commit comments