Monitoring safe rollout of time-bound service account token.

2025-09-09 05:01:46 +00:00 · 2020-03-13 14:49:47 -07:00
parent 57108f6c3e
commit ae0e52d28c
16 changed files with 251 additions and 33 deletions
--- a/plugin/pkg/admission/serviceaccount/admission.go
+++ b/plugin/pkg/admission/serviceaccount/admission.go
@@ -530,7 +530,7 @@ func (s *Plugin) createVolume(tokenVolumeName, secretName string) api.Volume {
 						{
 							ServiceAccountToken: &api.ServiceAccountTokenProjection{
 								Path:              "token",
-								ExpirationSeconds: 60 * 60,
+								ExpirationSeconds: serviceaccount.WarnOnlyBoundTokenExpirationSeconds,
 							},
 						},
 						{
--- a/plugin/pkg/admission/serviceaccount/admission_test.go
+++ b/plugin/pkg/admission/serviceaccount/admission_test.go
@@ -252,7 +252,7 @@ func TestAssignsDefaultServiceAccountAndBoundTokenWithNoSecretTokens(t *testing.
 		VolumeSource: api.VolumeSource{
 			Projected: &api.ProjectedVolumeSource{
 				Sources: []api.VolumeProjection{
-					{ServiceAccountToken: &api.ServiceAccountTokenProjection{ExpirationSeconds: 3600, Path: "token"}},
+					{ServiceAccountToken: &api.ServiceAccountTokenProjection{ExpirationSeconds: 3607, Path: "token"}},
 					{ConfigMap: &api.ConfigMapProjection{LocalObjectReference: api.LocalObjectReference{Name: "kube-root-ca.crt"}, Items: []api.KeyToPath{{Key: "ca.crt", Path: "ca.crt"}}}},
 					{DownwardAPI: &api.DownwardAPIProjection{Items: []api.DownwardAPIVolumeFile{{Path: "namespace", FieldRef: &api.ObjectFieldSelector{APIVersion: "v1", FieldPath: "metadata.namespace"}}}}},
 				},