Set Expiry of Kubernetes service tokens

Question

Is there a way to configure Kubernetes SetviceAccount tokens to expire? Following the documentation these tokens are JWT (as I was able to also check it using a JWT debugger). Following the specification JWT specifies expiration but so far I was not able to find out how I can convince Kubernetes create tokens with this header.

Any thoughts?

Answer 1

From the docs here you can use expirationSeconds to set expiry time of the JWT token. This property is not configurable on the default service account token.

apiVersion: v1
kind: Pod
metadata:
  name: nginx
spec:
  containers:
  - image: nginx
    name: nginx
    volumeMounts:
    - mountPath: /var/run/secrets/tokens
      name: vault-token
  serviceAccountName: build-robot
  volumes:
  - name: vault-token
    projected:
      sources:
      - serviceAccountToken:
          path: vault-token
          expirationSeconds: 7200
          audience: vault