TokenRequest

apiVersion: authentication.k8s.io/v1

import "k8s.io/api/authentication/v1"

TokenRequest

TokenRequest requests a token for a given service account.

• apiVersion: authentication.k8s.io/v1

• kind: TokenRequest

• metadata (ObjectMeta)

  Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

• spec (TokenRequestSpec), required

  Spec holds information about the request being evaluated

• status (TokenRequestStatus)

  Status is filled in by the server and indicates whether the token can be authenticated.

TokenRequestSpec

TokenRequestSpec contains client provided parameters of a token request.

• audiences ([]string), required

  Audiences are the intendend audiences of the token. A recipient of a token must identitfy themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.

• boundObjectRef (BoundObjectReference)

  BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.

  BoundObjectReference is a reference to an object that a token is bound to.

  • boundObjectRef.apiVersion (string)

    API version of the referent.

  • boundObjectRef.kind (string)

    Kind of the referent. Valid kinds are 'Pod' and 'Secret'.

  • boundObjectRef.name (string)

    Name of the referent.

  • boundObjectRef.uid (string)

    UID of the referent.

• expirationSeconds (int64)

  ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.

TokenRequestStatus

TokenRequestStatus is the result of a token request.

• expirationTimestamp (Time), required

  ExpirationTimestamp is the time of expiration of the returned token.

  Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

• token (string), required

  Token is the opaque bearer token.

Operations

create create token of a ServiceAccount

HTTP Request

POST /api/v1/namespaces/{namespace}/serviceaccounts/{name}/token

Parameters

• name (in path): string, required

  name of the TokenRequest

• namespace (in path): string, required

  namespace

• body: TokenRequest, required

• dryRun (in query): string

  dryRun

• fieldManager (in query): string

  fieldManager

• fieldValidation (in query): string

  fieldValidation

• pretty (in query): string

  pretty

Response

200 (TokenRequest): OK

201 (TokenRequest): Created

202 (TokenRequest): Accepted

401: Unauthorized