You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/reference/access-authn-authz/service-accounts-admin.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -58,7 +58,7 @@ It acts synchronously to modify pods as they are created or updated. When this p
58
58
1. It ensures that the `ServiceAccount` referenced by the pod exists, and otherwise rejects it.
59
59
1. It adds a `volume` to the pod which contains a token for API access if neither the ServiceAccount `automountServiceAccountToken` nor the Pod's `automountServiceAccountToken` is set to `false`.
60
60
1. It adds a `volumeSource` to each container of the pod mounted at `/var/run/secrets/kubernetes.io/serviceaccount`, if the previous step has created a volume for ServiceAccount token.
61
-
1. If the pod does not contain any `ImagePullSecrets`, then `ImagePullSecrets` of the `ServiceAccount` are added to the pod.
61
+
1. If the pod does not contain any `imagePullSecrets`, then `imagePullSecrets` of the `ServiceAccount` are added to the pod.
62
62
63
63
#### Bound Service Account Token Volume
64
64
@@ -91,14 +91,14 @@ add the following projected volume instead of a Secret-based volume for the non-
91
91
This projected volume consists of three sources:
92
92
93
93
1. A ServiceAccountToken acquired from kube-apiserver via TokenRequest API. It will expire after 1 hour by default or when the pod is deleted. It is bound to the pod and has kube-apiserver as the audience.
94
-
1. A ConfigMap containing a CA bundle used for verifying connections to the kube-apiserver. This feature depends on the `RootCAConfigMap` feature gate being enabled, which publishes a "kube-root-ca.crt" ConfigMap to every namespace. `RootCAConfigMap` is enabled by default in 1.20, and always enabled in 1.21+.
94
+
1. A ConfigMap containing a CA bundle used for verifying connections to the kube-apiserver. This feature depends on the `RootCAConfigMap` feature gate, which publishes a "kube-root-ca.crt" ConfigMap to every namespace. `RootCAConfigMap` feature gate is graduated to GA in 1.21 and default to true. (This flag will be removed from --feature-gate arg in 1.22)
95
95
1. A DownwardAPI that references the namespace of the pod.
96
96
97
97
See more details about [projected volumes](/docs/tasks/configure-pod-container/configure-projected-volume-storage/).
98
98
99
-
You can manually migrate a secret-based service account volume to a projected volume when
99
+
You can manually migrate a Secret-based service account volume to a projected volume when
100
100
the `BoundServiceAccountTokenVolume` feature gate is not enabled by adding the above
101
-
projected volume to the pod spec. However, `RootCAConfigMap` needs to be enabled.
0 commit comments