I know that in Kubernetes deployments we can use projected volume to mount a token from a Service Account. Additionally, we can specify audience for the token. The problem is that I need multiple audiences, not just one. Please see the yaml I use for deployment at the bottom of the question.
The part that is not working as expected is audience: service1,service2,service3.
When kubernetes generates the token and I decode it in jwt.io, audiences sections looks like this:
"aud": [
"service1,service2,service3"
]
But I expect it to look like this:
"aud": [
"service1", "service2", "service3"
]
Basically - kubernetes thinks "service1,service2,service3" is one audience, but I need a way to specify that this token must work for 3 separate audiences. I thought this can be achieved by separating values with commas, but apparently not.
I also tried this in my deployment but it fails saying audience must be string:
- serviceAccountToken:
audience:
- service1
- service2
- service3
expirationSeconds: 600
path: my-token
This is the full yaml for my deployment:
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: token-client
name: token-client
namespace: token-demo
spec:
replicas: 1
selector:
matchLabels:
app: token-client
template:
metadata:
labels:
app: token-client
spec:
serviceAccountName: token-client-test
containers:
- image: myuser/myimage:0.2.0
name: token-client
volumeMounts:
- mountPath: /var/run/secrets/tokens
name: my-token
volumes:
- name: my-token
projected:
sources:
- serviceAccountToken:
audience: service1,service2,service3
expirationSeconds: 600
path: my-token
