diff --git a/docs/user-guide/accessing-the-cluster.md b/docs/user-guide/accessing-the-cluster.md index 9c601b6246a..a675856a5a6 100644 --- a/docs/user-guide/accessing-the-cluster.md +++ b/docs/user-guide/accessing-the-cluster.md @@ -170,6 +170,13 @@ is associated with a service account, and a credential (token) for that service account is placed into the filesystem tree of each container in that pod, at `/var/run/secrets/kubernetes.io/serviceaccount/token`. +If available, a certificate bundle is placed into the filesystem tree of each +container at `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`, and should be +used to verify the serving certificate of the apiserver. + +Finally, the default namespace to be used for namespaced API operations is placed in a file +at `/var/run/secrets/kubernetes.io/serviceaccount/namespace` in each container. + From within a pod the recommended ways to connect to API are: - run a kubectl proxy as one of the containers in the pod, or as a background process within a container. This proxies the diff --git a/docs/user-guide/service-accounts.md b/docs/user-guide/service-accounts.md index 1766e583a11..f8e09c15618 100644 --- a/docs/user-guide/service-accounts.md +++ b/docs/user-guide/service-accounts.md @@ -156,7 +156,8 @@ Type: kubernetes.io/service-account-token Data ==== ca.crt: 1220 bytes -token: +token: ... +namespace: 7 bytes ``` > Note that the content of `token` is elided here.