@@ -18,7 +18,8 @@ For an introduction to service accounts, read [configure service accounts](/docs
1818
1919This task guide explains some of the concepts behind ServiceAccounts. The
2020guide also explains how to obtain or revoke tokens that represent
21- ServiceAccounts.
21+ ServiceAccounts, and how to (optionally) bind a ServiceAccount's validity to
22+ the lifetime of an API object.
2223
2324<!-- body -->
2425
@@ -68,7 +69,7 @@ Supported object types are as follows:
6869
6970* Pod (used for projected volume mounts, see below)
7071* Secret (can be used to allow revoking a token by deleting the Secret)
71- * Node (in v1.30 , creating new node-bound tokens is alpha , using existing node-bound tokens is beta )
72+ * Node (in v1.32 , creating new node-bound tokens is beta , using existing node-bound tokens is GA )
7273
7374When a token is bound to an object, the object's ` metadata.name ` and ` metadata.uid ` are
7475stored as extra 'private claims' in the issued JWT.
@@ -159,6 +160,70 @@ does not actually persist the TokenReview object into etcd.
159160Hence `kubectl get tokenreview` is not a valid command.
160161{{< /note >}}
161162
163+ # ### Schema for service account private claims
164+
165+ The schema for the Kubernetes-specific claims within JWT tokens is not currently documented,
166+ however the relevant code area can be found in
167+ [the serviceaccount package](https://github.com/kubernetes/kubernetes/blob/d8919343526597e0788a1efe133c70d9a0c07f69/pkg/serviceaccount/claims.go#L56-L68)
168+ in the Kubernetes codebase.
169+
170+ You can inspect a JWT using standard JWT decoding tool. Below is an example of a JWT for the
171+ ` my-serviceaccount` ServiceAccount, bound to a Pod object named `my-pod` which is scheduled
172+ to the Node `my-node`, in the `my-namespace` namespace :
173+
174+ ` ` ` json
175+ {
176+ "aud": [
177+ "https://my-audience.example.com"
178+ ],
179+ "exp": 1729605240,
180+ "iat": 1729601640,
181+ "iss": "https://my-cluster.example.com",
182+ "jti": "aed34954-b33a-4142-b1ec-389d6bbb4936",
183+ "kubernetes.io": {
184+ "namespace": "my-namespace",
185+ "node": {
186+ "name": "my-node",
187+ "uid": "646e7c5e-32d6-4d42-9dbd-e504e6cbe6b1"
188+ },
189+ "pod": {
190+ "name": "my-pod",
191+ "uid": "5e0bd49b-f040-43b0-99b7-22765a53f7f3"
192+ },
193+ "serviceaccount": {
194+ "name": "my-serviceaccount",
195+ "uid": "14ee3fa4-a7e2-420f-9f9a-dbc4507c3798"
196+ }
197+ },
198+ "nbf": 1729601640,
199+ "sub": "system:serviceaccount:my-namespace:my-serviceaccount"
200+ }
201+ ` ` `
202+
203+ {{< note >}}
204+ The `aud` and `iss` fields in this JWT may differ between different Kubernetes clusters depending
205+ on your configuration.
206+
207+ The presence of both the `pod` and `node` claim implies that this token is bound
208+ to a *Pod* object. When verifying Pod bound ServiceAccount tokens, the API server **does not**
209+ verify the existence of the referenced Node object.
210+ {{< /note >}}
211+
212+ Services that run outside of Kubernetes and want to perform offline validation of JWTs may
213+ use this schema, along with a compliant JWT validator configured with OpenID Discovery information
214+ from the API server, to verify presented JWTs without requiring use of the TokenReview API.
215+
216+ Services that verify JWTs in this way **do not verify** the claims embedded in the JWT token to be
217+ current and still valid.
218+ This means if the token is bound to an object, and that object no longer exists, the token will still
219+ be considered valid (until the configured token expires).
220+
221+ Clients that require assurance that a token's bound claims are still valid **MUST** use the TokenReview
222+ API to present the token to the `kube-apiserver` for it to verify and expand the embedded claims, using
223+ similar steps to the [Verifying and inspecting private claims](#verifying-and-inspecting-private-claims)
224+ section above, but with a [supported client library](/docs/reference/using-api/client-libraries/).
225+ For more information on JWTs and their structure, see the [JSON Web Token RFC](https://datatracker.ietf.org/doc/html/rfc7519).
226+
162227# # Bound service account token volume mechanism {#bound-service-account-token-volume}
163228
164229{{< feature-state feature_gate_name="BoundServiceAccountTokenVolume" >}}
0 commit comments