const ServiceAccountUsernamePrefix … const ServiceAccountUsernameSeparator … const ServiceAccountGroupPrefix … const AllServiceAccountsGroup … const IssuedCredentialIDAuditAnnotationKey … const PodNameKey … const PodUIDKey … const NodeNameKey … const NodeUIDKey … // MakeUsername generates a username from the given namespace and ServiceAccount name. // The resulting username can be passed to SplitUsername to extract the original namespace and ServiceAccount name. func MakeUsername(namespace, name string) string { … } // MatchesUsername checks whether the provided username matches the namespace and name without // allocating. Use this when checking a service account namespace and name against a known string. func MatchesUsername(namespace, name string, username string) bool { … } var invalidUsernameErr … // SplitUsername returns the namespace and ServiceAccount name embedded in the given username, // or an error if the username is not a valid name produced by MakeUsername func SplitUsername(username string) (string, string, error) { … } // MakeGroupNames generates service account group names for the given namespace func MakeGroupNames(namespace string) []string { … } // MakeNamespaceGroupName returns the name of the group all service accounts in the namespace are included in func MakeNamespaceGroupName(namespace string) string { … } // UserInfo returns a user.Info interface for the given namespace, service account name and UID func UserInfo(namespace, name, uid string) user.Info { … } type ServiceAccountInfo … func (sa *ServiceAccountInfo) UserInfo() user.Info { … } // IsServiceAccountToken returns true if the secret is a valid api token for the service account func IsServiceAccountToken(secret *v1.Secret, sa *v1.ServiceAccount) bool { … }