Clarify expiration time for service accounts and tokens of pods pending deletion despite finalizers

Refers #47403

Signed-off-by: aleskandro <[email protected]>

Author: aleskandro

content/en/docs/reference/access-authn-authz/service-accounts-admin.md

@@ -75,6 +75,8 @@ stored as extra 'private claims' in the issued JWT.
 
 When a bound token is presented to the kube-apiserver, the service account authenticator
 will extract and verify these claims.
+If the referenced object or the service account is pending deletion (for example, due to finalizers),
+the request will not be authenticated after 1 minute of the `.metadata.deletionTimestamp`.
 If the referenced object no longer exists (or its `metadata.uid` does not match),
 the request will not be authenticated.
 

content/en/docs/tasks/configure-pod-container/configure-service-account.md

@@ -58,6 +58,10 @@ When a Pod authenticates as a ServiceAccount, its level of access depends on the
 [authorization plugin and policy](/docs/reference/access-authn-authz/authorization/#authorization-modules)
 in use.
 
+The API credentials are automatically revoked when the Pod is deleted, even if
+finalizers are in place. In particular, the API credentials are revoked after 1
+minute of the `.metadata.deletionTimestamp`, which includes the grace period.
+
 ### Opt out of API credential automounting
 
 If you don't want the {{< glossary_tooltip text="kubelet" term_id="kubelet" >}}