Merge pull request #74420 from jherrman/CNV-37922

mburke5678 · web-flow · commit e1e58f8c62e4 · 2024-07-03T10:07:09.000-04:00
OSDOCS: CNV-37922 - Adding docs on VNC token revocation
diff --git a/modules/virt-temporary-token-VNC.adoc b/modules/virt-temporary-token-VNC.adoc
@@ -6,7 +6,7 @@
 [id="virt-temporary-token-VNC_{context}"]
 = Generating a temporary token for the VNC console
 
-Generate a temporary authentication bearer token for the Kubernetes API to access the VNC of a virtual machine (VM).
+To access the VNC of a virtual machine (VM), generate a temporary authentication bearer token for the Kubernetes API.
 
 [NOTE]
 ====
@@ -15,7 +15,7 @@ Kubernetes also supports authentication using client certificates, instead of a
 
 .Prerequisites
 
-* A running virtual machine with {VirtProductName} 4.14 or later and xref:../../virt/about-virt/virt-architecture#virt-about-ssp-operator_virt-architecture[`ssp-operator`] 4.14 or later
+* A running VM with {VirtProductName} 4.14 or later and xref:../../virt/about-virt/virt-architecture#virt-about-ssp-operator_virt-architecture[`ssp-operator`] 4.14 or later
 
 .Procedure
 
@@ -26,14 +26,15 @@ Kubernetes also supports authentication using client certificates, instead of a
 $ oc patch hyperconverged kubevirt-hyperconverged -n {CNVNamespace} --type json -p '[{"op": "replace", "path": "/spec/featureGates/deployVmConsoleProxy", "value": true}]'
 ----
 
-. Generate a token by running the following command:
+. Generate a token by entering the following command:
 +
 [source,terminal]
 ----
 $ curl --header "Authorization: Bearer ${TOKEN}" \
-     "https://api.<cluster_fqdn>/apis/token.kubevirt.io/v1alpha1/namespaces/<namespace>/virtualmachines/<vm_name>/vnc?duration=<duration>" <1>
+     "https://api.<cluster_fqdn>/apis/token.kubevirt.io/v1alpha1/namespaces/<namespace>/virtualmachines/<vm_name>/vnc?duration=<duration>"
 ----
-<1> Duration can be in hours and minutes, with a minimum duration of 10 minutes. Example: `5h30m`. The token is valid for 10 minutes by default if this parameter is not set.
++
+The `<duration>` parameter can be set in hours and minutes, with a minimum duration of 10 minutes. For example: `5h30m`. If this parameter is not set, the token is valid for 10 minutes by default.
 +
 Sample output:
 +
@@ -53,16 +54,28 @@ You can now use the token to access the VNC console of a VM.
 
 .Verification
 
-.  Log in to the cluster by running the following command:
+.  Log in to the cluster by entering the following command:
 +
 [source,terminal]
 ----
 $ oc login --token ${VNC_TOKEN}
 ----
 
-.  Use `virtctl` to test access to the VNC console of the VM by running the following command:
+.  Test access to the VNC console of the VM by using the `virtctl` command:
 +
 [source,terminal]
 ----
 $ virtctl vnc <vm_name> -n <namespace>
 ----
+
+[WARNING]
+====
+It is currently not possible to revoke a specific token. 
+
+To revoke a token, you must delete the service account that was used to create it. However, this also revokes all other tokens that were created by using the service account. Use the following command with caution:
+
+[source,terminal]
+----
+$ virtctl delete serviceaccount --namespace "<namespace>" "<vm_name>-vnc-access" 
+----
+====
