Support dynamical serviceAccountToken configuration in projected volume

14 views
Skip to first unread message

Yi Ding

unread,
Sep 17, 2021, 8:10:10 PM9/17/21
to kubernetes-sig-storage
Hi Community,

I am interested in https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection which allows users to project customized service account token into a Pod's volume.

If I have one projected volume with one ServiceAccountToken in a live pod as below Spec:

======================
volumes:
- name: vault-token
  projected:
    sources:
    - serviceAccountToken:
        path: vault-token 
        expirationSeconds: 7200
        audience: vault
======================

Am I able to add one more serviceAccountToken without restart the Pod? I followed above K8s wiki and can only de-deploy or recreate the pod to make the projected volume in Pod to pick new serviceAccountToken via kubectl apply:

======================
volumes:
- name: vault-token
  projected:
    sources:
    - serviceAccountToken:
        path: vault-token 
        expirationSeconds: 7200
        audience: vault
    - serviceAccountToken:
        path: aws-token 
        expirationSeconds: 7200
        audience: aws
======================

So my question is:
Does K8S support dynamically bind more serviceAccountToken into a projected volume? If not, is there any plan to support this feature, I guess that would be very useful to use with OIDC feature. Since user may want to have new audience and want separate tokens.

Thank you!

Yi

Reply all
Reply to author
Forward
0 new messages