As I understand audiences, I can request a token that has a specific audience, but if the kube-apiserver isn't configured to honor audiences, that token would still be valid for the KAS even if I specified a different audience and the is unexpected.
Assigning to Christian so we can doc that SA token requests and project volumes with serviceAccountToken mount will not work in 4.1 This is not a security issue in 4.1 as: 1. There is no way to request a SA token with an audience in 4.1 2. The authenticator required to honor said token is not enabled in 4.1 3. The kubelet will error if a serviceAccountToken projected volume is used Thus, there is no risk that a token with an audience will be issued while the audience restriction is "ignored."
The following statement has been verified with QA and will be included in the "known issues" section of the release notes: Requesting a `ServiceAccountTokenVolumeProjection` is not available in {product-title} 4.1. The authenticator required to honor the token is not enabled in this release, and the kubelet will present an error if a `ServiceAccountTokenVolumeProjection` is used. This has been added to the 4.1 release note tracker here (which will be merged closer to GA) : https://github.com/openshift/openshift-docs/pull/15039 Thanks, Andrew
For completeness: The TokenRequest API is not available in {product-title} 4.1. Requesting a `ServiceAccountTokenVolumeProjection` volume is not available in {product-title} 4.1. The kubelet will present an error if a `ServiceAccountTokenVolumeProjection` is used. The authenticator required to honor these tokens is not enabled in this release.
Excellent, thank you Mo. I've pushed updated the text verbatim. Setting this bug to verified, and will move it to release pending when it has been merged per documentation standards.
These changes are now live since OCP 4.1 has GA'ed, closing this bug as current release. Thanks, Andrew