Short lived service account tokens for K8s integration
Problem to solve
The GitLab Kubernetes integration uses forever living service account tokens for all access to the Kubernetes API. It should not rely on them, as Kubernetes wants to properly restrict the validity of such token in the future.
Intended users
Unknown
Further details
Kubernetes started to add bound service tokens with a limited life time and audience. And more in this article
Proposal
While a lot of this is still cooking, GitLab should at least stop storing service account tokens in clusters_kubernetes_namespaces
and fetch new ones.
It should support getting tokens TokenRequest API for all builds and restrict them to the runtime of the job.