Referring to the kubernetes docs, under "Using the API -> Accessing the API -> Authenticating -> Authentication strategies -> Service Account Tokens", it says the following;
--service-account-key-file A file containing a PEM encoded key for signing bearer tokens. If unspecified, the API server’s TLS private key will be used.
and under "Using the API -> Accessing the API -> Managing Service Accounts -> Service account automation -> Token Controller", it says the following;
You must pass a service account private key file to the token controller in the controller-manager by using the --service-account-private-key-file option. The private key will be used to sign generated service account tokens. Similarly, you must pass the corresponding public key to the kube-apiserver using the --service-account-key-file option. The public key will be used to verify the tokens during authentication.
I am a bit confused, the former says that the flag (for admission controller running as a part apiserver, right?) will be used to sign the token, but the latter says that it will be used to verify the token and that the token will be signed by controller manager.
Please help!
