apiVersion: authentication.k8s.io/v1
import "k8s.io/api/authentication/v1"
TokenRequest requests a token for a given service account.
apiVersion: authentication.k8s.io/v1
kind: TokenRequest
metadata (ObjectMeta)
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
spec (TokenRequestSpec), required
Spec holds information about the request being evaluated
status (TokenRequestStatus)
Status is filled in by the server and indicates whether the token can be authenticated.
TokenRequestSpec contains client provided parameters of a token request.
audiences ([]string), required
Audiences are the intendend audiences of the token. A recipient of a token must identitfy themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.
boundObjectRef (BoundObjectReference)
BoundObjectRef is a reference to an object that the token will be bound to. The token will only be valid for as long as the bound object exists. NOTE: The API server's TokenReview endpoint will validate the BoundObjectRef, but other audiences may not. Keep ExpirationSeconds small if you want prompt revocation.
BoundObjectReference is a reference to an object that a token is bound to.
boundObjectRef.apiVersion (string)
API version of the referent.
boundObjectRef.kind (string)
Kind of the referent. Valid kinds are 'Pod' and 'Secret'.
boundObjectRef.name (string)
Name of the referent.
boundObjectRef.uid (string)
UID of the referent.
expirationSeconds (int64)
ExpirationSeconds is the requested duration of validity of the request. The token issuer may return a token with a different validity duration so a client needs to check the 'expiration' field in a response.
TokenRequestStatus is the result of a token request.
expirationTimestamp (Time), required
ExpirationTimestamp is the time of expiration of the returned token.
Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
token (string), required
Token is the opaque bearer token.
create
create token of a ServiceAccountPOST /api/v1/namespaces/{namespace}/serviceaccounts/{name}/token
name (in path): string, required
name of the TokenRequest
namespace (in path): string, required
body: TokenRequest, required
dryRun (in query): string
fieldManager (in query): string
fieldValidation (in query): string
pretty (in query): string
200 (TokenRequest): OK
201 (TokenRequest): Created
202 (TokenRequest): Accepted
401: Unauthorized
© 2022 The Kubernetes Authors
Documentation Distributed under CC BY 4.0.
https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/