Expose TokenRequest API for External Clients

Clients that are external to the Kubernetes cluster (e.g., a bot or a user's laptop) can access the cluster using Kubernetes Service Accounts as their identity. They store a long-lived token in their environment and use it to create time and audience bound tokens, to securely access the APIs exposed through the Istio Gateway (e.g., Rok, Kubeflow, etc.).

In this guide you will allow external clients to issue short-lived tokens by exposing the TokenRequest API of the Kubernetes API server.


  1. Edit rok/kubernetes-proxy/overlays/deploy/patches/ingress_host.json and specify your subdomain in field value:

          "op": "replace",
          "path": "/spec/rules/0/host",
          "value": "arrikto-cluster.apps.example.com"
  2. Commit your changes:

    root@rok-tools:~/ops/deployments# git commit -am "Expose Kubernetes TokenRequest API under /kubernetes"
  3. Apply the kustomization:

    root@rok-tools:~/ops/deployments# rok-deploy --apply rok/kubernetes-proxy/overlays/deploy


This will only expose the TokenRequest API, not the whole Kubernetes API.


  1. Verify that you can access the TokenRequest API under:


    Replace <YOUR_SUBDOMAIN> with your subdomain. For example:

    user@workstation:~$ curl https://arrikto-cluster.apps.example.com/kubernetes/api/v1/namespaces/default/serviceaccounts/default/token
      "kind": "Status",
      "apiVersion": "v1",
      "metadata": {
      "status": "Failure",
      "message": "serviceaccounts \"default\" is forbidden: User \"system:anonymous\" cannot get resource \"serviceaccounts/token\" in API group \"\" in the namespace \"kdefault\"",
      "reason": "Forbidden",
      "details": {
        "name": "default",
        "kind": "serviceaccounts"
      "code": 403


You have successfully exposed TokenRequest API under /kubernetes.

What's Next

Check out the rest of the maintenance operations that you can perform on your cluster.