Istiod uses serviceAccount `istiod` and serviceAccountName `istiod` to have gain access to k8s api server. According to how service account works with a pod, this basically mount the token in this directory
/var/run/secrets/kubernetes.io/serviceaccount
this directory contains root ca, namespace and jwt.
in remote case, istiod has to be configured to use istio-kubeconfig secret to gain access to the remote cluster. The secret will be mounted to istiod pod at the following location
/var/run/secrets/remote
the name of the file normally is config which basically contains a content of a kube config file.
No comments:
Post a Comment