Enabling service account token volume projection for AKS engine on Azure Stack Hub
Istio is a configurable, open source service-mesh layer that connects, monitors, and secures the containers in a Kubernetes cluster. Istio 1.3 and higher uses a feature in Kubernetes called service account token volume projection. This feature is not enabled by default in Kubernetes clusters deployed by AKS engine. In this article, you can find the API model json properties in the apiServerConfig element that shows the Kubernetes API server flags required to enable service account token volume projection for your cluster.
For more information about service account token volume projection, see Service Account Token Volume Projection.
Enable service account token volume projection
To enable service account token volume projection, add the following settings into your API model json file.
{
"kubernetesConfig": {
"apiServerConfig": {
"--service-account-api-audiences": "api,istio-ca",
"--service-account-issuer": "kubernetes.default.svc",
"--service-account-signing-key-file": "/etc/kubernetes/certs/apiserver.key"
}
}
}
Note
You may have to adjust --service-account-api-audiences and --service-account-issuer to your specific use case.
For a full example API model, refer to istio.json.
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for