diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/create/create_token.go b/staging/src/k8s.io/kubectl/pkg/cmd/create/create_token.go
index 63f52169d1c..adfd5964dc9 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/create/create_token.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/create/create_token.go
@@ -148,7 +148,7 @@ func NewCmdCreateToken(f cmdutil.Factory, ioStreams genericiooptions.IOStreams)
 
 	cmd.Flags().StringArrayVar(&o.Audiences, "audience", o.Audiences, "Audience of the requested token. If unset, defaults to requesting a token for use with the Kubernetes API server. May be repeated to request a token valid for multiple audiences.")
 
-	cmd.Flags().DurationVar(&o.Duration, "duration", o.Duration, "Requested lifetime of the issued token. If not set, the lifetime will be determined by the server automatically. The server may return a token with a longer or shorter lifetime.")
+	cmd.Flags().DurationVar(&o.Duration, "duration", o.Duration, "Requested lifetime of the issued token. If not set or if set to 0, the lifetime will be determined by the server automatically. The server may return a token with a longer or shorter lifetime.")
 
 	cmd.Flags().StringVar(&o.BoundObjectKind, "bound-object-kind", o.BoundObjectKind, "Kind of an object to bind the token to. "+
 		"Supported kinds are "+strings.Join(sets.StringKeySet(boundObjectKindToAPIVersions()).List(), ", ")+". "+
@@ -208,8 +208,8 @@ func (o *TokenOptions) Validate() error {
 	if len(o.Namespace) == 0 {
 		return fmt.Errorf("--namespace is required")
 	}
-	if o.Duration < 0 || (o.Duration == 0 && o.Flags.Changed("duration")) {
-		return fmt.Errorf("--duration must be positive")
+	if o.Duration < 0 {
+		return fmt.Errorf("--duration must be greater than or equal to 0")
 	}
 	if o.Duration%time.Second != 0 {
 		return fmt.Errorf("--duration cannot be expressed in units less than seconds")
diff --git a/staging/src/k8s.io/kubectl/pkg/cmd/create/create_token_test.go b/staging/src/k8s.io/kubectl/pkg/cmd/create/create_token_test.go
index 7df27dec16d..642ac38b6d5 100644
--- a/staging/src/k8s.io/kubectl/pkg/cmd/create/create_token_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/cmd/create/create_token_test.go
@@ -219,7 +219,7 @@ status:
 			test:         "invalid duration",
 			name:         "mysa",
 			duration:     -1,
-			expectStderr: `error: --duration must be positive`,
+			expectStderr: `error: --duration must be greater than or equal to 0`,
 		},
 		{
 			test:         "invalid duration unit",
@@ -243,7 +243,22 @@ status:
 			serverResponseToken: "abc",
 			expectStdout:        "abc",
 		},
+		{
+			test: "zero duration act as default",
+			name: "mysa",
 
+			duration: 0 * time.Second,
+
+			expectRequestPath: "/api/v1/namespaces/test/serviceaccounts/mysa/token",
+			expectTokenRequest: &authenticationv1.TokenRequest{
+				TypeMeta: metav1.TypeMeta{APIVersion: "authentication.k8s.io/v1", Kind: "TokenRequest"},
+				Spec: authenticationv1.TokenRequestSpec{
+					ExpirationSeconds: nil,
+				},
+			},
+			serverResponseToken: "abc",
+			expectStdout:        "abc",
+		},
 		{
 			test: "server error",
 			name: "mysa",