From 031075d149ca12dd66c16cc80d88d38086c2bbae Mon Sep 17 00:00:00 2001
From: Max Goltzsche <mgoltzsche@users.noreply.github.com>
Date: Thu, 2 Mar 2023 02:47:23 +0100
Subject: [PATCH] check jwt timestamp for zero value

Co-authored-by: Jordan Liggitt <jordan@liggitt.net>
---
 pkg/serviceaccount/claims.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/serviceaccount/claims.go b/pkg/serviceaccount/claims.go
index 19d92ab37ea..a6889d28293 100644
--- a/pkg/serviceaccount/claims.go
+++ b/pkg/serviceaccount/claims.go
@@ -198,7 +198,7 @@ func (v *validator) Validate(ctx context.Context, _ string, public *jwt.Claims,
 
 	// Check special 'warnafter' field for projected service account token transition.
 	warnafter := private.Kubernetes.WarnAfter
-	if warnafter != nil {
+	if warnafter != nil && *warnafter != 0 {
 		if nowTime.After(warnafter.Time()) {
 			secondsAfterWarn := nowTime.Unix() - warnafter.Time().Unix()
 			auditInfo := fmt.Sprintf("subject: %s, seconds after warning threshold: %d", public.Subject, secondsAfterWarn)