You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/en/docs/concepts/storage/volumes.md
+47-1Lines changed: 47 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -646,8 +646,15 @@ Currently, the following types of volume sources can be projected:
646
646
- [`secret`](#secret)
647
647
- [`downwardAPI`](#downwardapi)
648
648
- [`configMap`](#configmap)
649
+
- `serviceAccountToken`
649
650
650
-
All sources are required to be in the same namespace as the Pod. For more details, see the [all-in-one volume design document](https://github.com/kubernetes/community/blob/{{< param "githubbranch" >}}/contributors/design-proposals/node/all-in-one-volume.md).
651
+
All sources are required to be in the same namespace as the Pod. For more details,
652
+
see the [all-in-one volume design document](https://github.com/kubernetes/community/blob/{{< param "githubbranch" >}}/contributors/design-proposals/node/all-in-one-volume.md).
653
+
654
+
The projection of service account tokens is a feature introduced in Kubernetes
655
+
1.11. To enable this feature, you need to explicitly set the `TokenRequestProjection`
656
+
[feature gate](/docs/reference/command-line-tools-reference/feature-gates/) to
657
+
True.
651
658
652
659
#### Example Pod with a secret, a downward API, and a configmap.
653
660
@@ -730,6 +737,45 @@ parameters are nearly the same with two exceptions:
730
737
volume source. However, as illustrated above, you can explicitly set the `mode`
731
738
for each individual projection.
732
739
740
+
When the `TokenRequestProjection` feature is enabled, you can inject the token
741
+
for the current [service account](/docs/reference/access-authn-authz/authentication/#service-account-tokens)
742
+
into a Pod at a specified path. Below is an example:
743
+
744
+
```yaml
745
+
apiVersion: v1
746
+
kind: Pod
747
+
metadata:
748
+
name: sa-token-test
749
+
spec:
750
+
containers:
751
+
- name: container-test
752
+
image: busybox
753
+
volumeMounts:
754
+
- name: token-vol
755
+
mountPath: "/sevice-account"
756
+
readOnly: true
757
+
volumes:
758
+
- name: token-vol
759
+
projected:
760
+
sources:
761
+
- serviceAccountToken:
762
+
audience: api
763
+
expirationSeconds: 3600
764
+
path: token
765
+
```
766
+
767
+
The example Pod has a projected volume containing the injected service account
768
+
token. This token can be used by Pod containers to access the Kubernetes API
769
+
server, for example. The `audience` field contains the intended audience of the
770
+
token. A recipient of the token must identify itself with an identifier specified
771
+
in the audience of the token, and otherwise should reject the token. This field
772
+
is optional and it defaults to the identifier of the API server.
773
+
774
+
The `expirationSeconds` is the expected duration of validity of the service account
775
+
token. It defaults to 1 hour and must be at least 10 minutes (600 seconds).
776
+
The `path` field specifies a relative path to the mount point of the projected
777
+
volume.
778
+
733
779
{{< note >}}
734
780
**Note:** A Container using a projected volume source as a [subPath](#using-subpath) volume mount will not
0 commit comments