OCPBUGS#3154 BoundServiceAccountToken has 365d validation period even it has expirationSeconds: 3607

cbippley · cbippley · commit 9c80bb1d91d1 · 2023-09-22T11:19:06.000-04:00
diff --git a/modules/bound-sa-tokens-configuring.adoc b/modules/bound-sa-tokens-configuring.adoc
@@ -122,8 +122,13 @@ spec:
 ----
 <1> A reference to an existing service account.
 <2> The path relative to the mount point of the file to project the token into.
-<3> Optionally set the expiration of the service account token, in seconds. The default is 3600 seconds (1 hour) and must be at least 600 seconds (10 minutes). The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours.
+<3> Optionally set the expiration of the service account token, in seconds. The default is 3600 seconds (1 hour) and must be at least 600 seconds (10 minutes). The kubelet will start trying to rotate the token if the token is older than 80 percent of its time to live or if the token is older than 24 hours. 
 <4> Optionally set the intended audience of the token. The recipient of a token should verify that the recipient identity matches the audience claim of the token, and should otherwise reject the token. The audience defaults to the identifier of the API server.
++
+[NOTE]
+====
+In order to prevent unexpected failure, {product-title} overrides the `expirationSeconds` value to be one year from the initial token generation with the `--service-account-extend-token-expiration` default of `true`. You cannot change this setting.
+====
 
 .. Create the pod:
 +
