Enabling service account token volume projection for AKS engine on Azure Stack Hub

Istio is a configurable, open source service-mesh layer that connects, monitors, and secures the containers in a Kubernetes cluster. Istio 1.3 and higher uses a feature in Kubernetes called service account token volume projection. This feature is not enabled by default in Kubernetes clusters deployed by AKS engine. In this article, you can find the API model json properties in the apiServerConfig element that shows the Kubernetes API server flags required to enable service account token volume projection for your cluster.

For more information about service account token volume projection, see Service Account Token Volume Projection.

Enable service account token volume projection

To enable service account token volume projection, add the following settings into your API model json file.

{
    "kubernetesConfig": {
        "apiServerConfig": {
            "--service-account-api-audiences": "api,istio-ca",
            "--service-account-issuer": "kubernetes.default.svc",
            "--service-account-signing-key-file": "/etc/kubernetes/certs/apiserver.key"
        }
    }
}

Note

You may have to adjust --service-account-api-audiences and --service-account-issuer to your specific use case.

For a full example API model, refer to istio.json.

Next steps

• Read about the AKS engine on Azure Stack Hub
• Upgrade a Kubernetes cluster on Azure Stack Hub