AWS eks documentation change
Summary
Added documentation about External JWT Signer for Service Account Tokens promotion to Beta and recommended using bound service account tokens
Security assessment
The change documents security improvements in Kubernetes 1.34 related to service account token management. It recommends bound service account tokens which enhance security through automatic rotation and limited lifetimes, but doesn't address a specific vulnerability.
Diff
diff --git a/eks/latest/userguide/kubernetes-versions-standard.md b/eks/latest/userguide/kubernetes-versions-standard.md index a07c5fa5d..99202bcdb 100644 --- a//eks/latest/userguide/kubernetes-versions-standard.md +++ b//eks/latest/userguide/kubernetes-versions-standard.md @@ -42,0 +43,4 @@ Kubernetes `1.34` is now available in Amazon EKS. For more information about Kub + * External JWT Signer for Service Account Tokens is promoted to Beta. When using external signers, the --service-account-extend-token-expiration flag is no longer fully respected. The API server enforces the minimum expiration between the desired extension (1 year) and the external signer’s limit (24 hours). + + * We recommend using [bound service account tokens](https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-tokens), which are automatically mounted and rotated by Kubernetes. +