@@ -23,7 +23,7 @@ Currently, the following types of volume sources can be projected:
2323* [ ` secret ` ] ( /docs/concepts/storage/volumes/#secret )
2424* [ ` downwardAPI ` ] ( /docs/concepts/storage/volumes/#downwardapi )
2525* [ ` configMap ` ] ( /docs/concepts/storage/volumes/#configmap )
26- * ` serviceAccountToken `
26+ * [ ` serviceAccountToken ` ] ( #serviceaccounttoken )
2727
2828All sources are required to be in the same namespace as the Pod. For more details,
2929see the [ all-in-one volume] ( https://github.com/kubernetes/design-proposals-archive/blob/main/node/all-in-one-volume.md ) design document.
@@ -45,15 +45,18 @@ parameters are nearly the same with two exceptions:
4545 volume source. However, as illustrated above, you can explicitly set the ` mode `
4646 for each individual projection.
4747
48+ ## serviceAccountToken projected volumes {#serviceaccounttoken}
4849When the ` TokenRequestProjection ` feature is enabled, you can inject the token
4950for the current [ service account] ( /docs/reference/access-authn-authz/authentication/#service-account-tokens )
5051into a Pod at a specified path. For example:
5152
5253{{< codenew file="pods/storage/projected-service-account-token.yaml" >}}
5354
5455The example Pod has a projected volume containing the injected service account
55- token. This token can be used by a Pod's containers to access the Kubernetes API
56- server. The ` audience ` field contains the intended audience of the
56+ token. Containers in this Pod can use that token to access the Kubernetes API
57+ server, authenticating with the identity of [ the pod's ServiceAccount]
58+ (/docs/tasks/configure-pod-container/configure-service-account/).
59+ The ` audience ` field contains the intended audience of the
5760token. A recipient of the token must identify itself with an identifier specified
5861in the audience of the token, and otherwise should reject the token. This field
5962is optional and it defaults to the identifier of the API server.
0 commit comments