mirror of
https://github.com/kubernetes/kubernetes.git
synced 2026-05-21 17:39:59 -04:00
7262edeb59
The previous error message said the audience was "not found in pod spec volume", which led users to mount a spurious projected service account token volume in the pod spec to satisfy the check. That is not the intended remedy: kubelets should be authorized via RBAC to request tokens for the configured audience. Reword the error to a generic "is not authorized to request tokens for audience %q" so users are not pushed toward modifying pod specs. The valid authorization paths (pod spec volume, CSIDriver tokenRequests, or the request-serviceaccounts-token-audience verb) are documented in the kubelet credential provider task page. Update the unit and integration test expectations to match. |
||
|---|---|---|
| .. | ||
| cmd | ||
| compatibility_lifecycle | ||
| conformance | ||
| declarative_validation | ||
| e2e | ||
| e2e_dra | ||
| e2e_kubeadm | ||
| e2e_node | ||
| fixtures | ||
| fuzz | ||
| images | ||
| integration | ||
| kubemark | ||
| list | ||
| soak/serve_hostnames | ||
| typecheck | ||
| utils | ||
| OWNERS | ||