mirror of
https://github.com/kubernetes/kubernetes.git
synced 2026-05-21 01:17:14 -04:00
7262edeb59
The previous error message said the audience was "not found in pod spec volume", which led users to mount a spurious projected service account token volume in the pod spec to satisfy the check. That is not the intended remedy: kubelets should be authorized via RBAC to request tokens for the configured audience. Reword the error to a generic "is not authorized to request tokens for audience %q" so users are not pushed toward modifying pod specs. The valid authorization paths (pod spec volume, CSIDriver tokenRequests, or the request-serviceaccounts-token-audience verb) are documented in the kubelet credential provider task page. Update the unit and integration test expectations to match. |
||
|---|---|---|
| .. | ||
| admission | ||
| auth | ||