Expose TokenRequest API for External Clients

Clients that are external to the Kubernetes cluster (e.g., a bot or a user’s laptop) can access the cluster using Kubernetes Service Accounts as their identity. They store a long-lived token in their environment and use it to create time and audience bound tokens, to securely access the APIs exposed through the Istio Gateway (e.g., Rok, Kubeflow, etc.).

In this guide you will allow external clients to issue short-lived tokens by exposing the TokenRequest API of the Kubernetes API server. You will expose this API either under the EKF domain or the Serving domain or both.


This guide will not configure TLS on NGINX. If TLS termination takes place outside the cluster, for example, with an ALB on EKS, everything will work. Otherwise you will end up getting a “Kubernetes Ingress Controller Fake Certificate” when using HTTPS to access the API.

What You’ll Need




If you want to expose the TokenRequest API both for EKF and Serving, run this procedure twice, by choosing the right set of tabs in each run.

  1. Specify your subdomain. Choose one of the following options based on which domain you are exposing the TokenRequest API under.

    Edit rok/kubernetes-proxy/overlays/deploy/patches/ingress_host.json and specify your subdomain in field value:

    [ { "op": "replace", "path": "/spec/rules/0/host", "value": "arrikto-cluster.apps.example.com" } ]

    Edit rok/kubernetes-proxy-serving/overlays/deploy/patches/ingress_host.json and specify your subdomain in field value:

    [ { "op": "replace", "path": "/spec/rules/0/host", "value": "arrikto-cluster-serving.serving.example.com" } ]
  2. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Kubernetes TokenRequest API under /kubernetes"
  3. Apply the kustomization. Choose one of the following options based on which domain you are exposing the TokenRequest API under.

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/kubernetes-proxy/overlays/deploy
    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/kubernetes-proxy-serving/overlays/deploy


This will only expose the TokenRequest API, not the whole Kubernetes API.


  1. Specify your subdomain:

    user@workstation:~$ export SUBDOMAIN=<SUBDOMAIN>

    Replace <YOUR_SUBDOMAIN> with your subdomain. For example:

    user@workstation:~$ export SUBDOMAIN=arrikto-cluster.apps.example.com
  2. Verify that you can access the TokenRequest API under:

    user@workstation:~$ curl https://${SUBDOMAIN?}/kubernetes/api/v1/namespaces/default/serviceaccounts/default/token { "kind": "Status", "apiVersion": "v1", "metadata": { }, "status": "Failure", "message": "serviceaccounts \"default\" is forbidden: User \"system:anonymous\" cannot get resource \"serviceaccounts/token\" in API group \"\" in the namespace \"kdefault\"", "reason": "Forbidden", "details": { "name": "default", "kind": "serviceaccounts" }, "code": 403 }


    Could not resolve host

    ExternalDNS will create records based on your input so there might be a slight delay for the DNS to propagate.


You have successfully exposed TokenRequest API under /kubernetes.

What’s Next

Check out the rest of the maintenance operations that you can perform on your cluster.