upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-06-10 17:35:44 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/plugin/pkg/admission/noderestriction
History
Anish Ramasekar 7262edeb59
fix(admission): reword NodeRestriction audience authorization error 
The previous error message said the audience was "not found in pod
spec volume", which led users to mount a spurious projected service
account token volume in the pod spec to satisfy the check. That is
not the intended remedy: kubelets should be authorized via RBAC to
request tokens for the configured audience.

Reword the error to a generic "is not authorized to request tokens
for audience %q" so users are not pushed toward modifying pod specs.
The valid authorization paths (pod spec volume, CSIDriver tokenRequests,
or the request-serviceaccounts-token-audience verb) are documented
in the kubelet credential provider task page.

Update the unit and integration test expectations to match.
2026-05-13 16:30:51 -07:00
..
admission.go fix(admission): reword NodeRestriction audience authorization error 2026-05-13 16:30:51 -07:00
admission_test.go fix(admission): reword NodeRestriction audience authorization error 2026-05-13 16:30:51 -07:00
OWNERS Check in OWNERS modified by update-yamlfmt.sh 2021-12-09 21:31:26 -05:00