implement service account token projection

plugin/pkg/admission/serviceaccount/admission.go

@@ -208,6 +208,15 @@ func (s *serviceAccount) Validate(a admission.Attributes) (err error) {
 		if hasSecrets {
 			return admission.NewForbidden(a, fmt.Errorf("a mirror pod may not reference secrets"))
 		}
+		for _, v := range pod.Spec.Volumes {
+			if proj := v.Projected; proj != nil {
+				for _, projSource := range proj.Sources {
+					if projSource.ServiceAccountToken != nil {
+						return admission.NewForbidden(a, fmt.Errorf("a mirror pod may not use ServiceAccountToken volume projections"))
+					}
+				}
+			}
+		}
 		return nil
 	}
 

plugin/pkg/admission/serviceaccount/admission_test.go

@@ -138,6 +138,31 @@ func TestRejectsMirrorPodWithSecretVolumes(t *testing.T) {
 	}
 }
 
+func TestRejectsMirrorPodWithServiceAccountTokenVolumeProjections(t *testing.T) {
+	pod := &api.Pod{
+		ObjectMeta: metav1.ObjectMeta{
+			Annotations: map[string]string{
+				kubelet.ConfigMirrorAnnotationKey: "true",
+			},
+		},
+		Spec: api.PodSpec{
+			Volumes: []api.Volume{
+				{VolumeSource: api.VolumeSource{
+					Projected: &api.ProjectedVolumeSource{
+						Sources: []api.VolumeProjection{{ServiceAccountToken: &api.ServiceAccountTokenProjection{}}},
+					},
+				},
+				},
+			},
+		},
+	}
+	attrs := admission.NewAttributesRecord(pod, nil, api.Kind("Pod").WithVersion("version"), "myns", "myname", api.Resource("pods").WithVersion("version"), "", admission.Create, nil)
+	err := NewServiceAccount().Admit(attrs)
+	if err == nil {
+		t.Errorf("Expected a mirror pod to be prevented from referencing a ServiceAccountToken volume projection")
+	}
+}
+
 func TestAssignsDefaultServiceAccountAndToleratesMissingAPIToken(t *testing.T) {
 	ns := "myns"