Skip to content

Commit 30e7c5e

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #40235 from yeqiugt/main
Remove some duplicates in content/en/docs/reference/access-authn-authz/service-accounts-admin.md
2 parents fe0f825 + 669f695 commit 30e7c5e

File tree

1 file changed

+5
-28
lines changed

1 file changed

+5
-28
lines changed

content/en/docs/reference/access-authn-authz/service-accounts-admin.md

Lines changed: 5 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -141,6 +141,11 @@ to obtain short-lived API access tokens is recommended instead.
141141

142142
## Control plane details
143143

144+
### ServiceAccount controller
145+
146+
A ServiceAccount controller manages the ServiceAccounts inside namespaces, and
147+
ensures a ServiceAccount named "default" exists in every active namespace.
148+
144149
### Token controller
145150

146151
The service account token controller runs as part of `kube-controller-manager`.
@@ -366,34 +371,6 @@ If you created a namespace `examplens` to experiment with, you can remove it:
366371
kubectl delete namespace examplens
367372
```
368373

369-
## Control plane details
370-
371-
### ServiceAccount controller
372-
373-
A ServiceAccount controller manages the ServiceAccounts inside namespaces, and
374-
ensures a ServiceAccount named "default" exists in every active namespace.
375-
376-
### Token controller
377-
378-
The service account token controller runs as part of `kube-controller-manager`.
379-
This controller acts asynchronously. It:
380-
381-
- watches for ServiceAccount creation and creates a corresponding
382-
ServiceAccount token Secret to allow API access.
383-
- watches for ServiceAccount deletion and deletes all corresponding ServiceAccount
384-
token Secrets.
385-
- watches for ServiceAccount token Secret addition, and ensures the referenced
386-
ServiceAccount exists, and adds a token to the Secret if needed.
387-
- watches for Secret deletion and removes a reference from the corresponding
388-
ServiceAccount if needed.
389-
390-
You must pass a service account private key file to the token controller in
391-
the `kube-controller-manager` using the `--service-account-private-key-file`
392-
flag. The private key is used to sign generated service account tokens.
393-
Similarly, you must pass the corresponding public key to the `kube-apiserver`
394-
using the `--service-account-key-file` flag. The public key will be used to
395-
verify the tokens during authentication.
396-
397374
## {{% heading "whatsnext" %}}
398375

399376
- Read more details about [projected volumes](/docs/concepts/storage/projected-volumes/).

0 commit comments

Comments
 (0)