From 73c7669f7e210802998f13133ba56b9f31bdd145 Mon Sep 17 00:00:00 2001
From: Ben Luddy <bluddy@redhat.com>
Date: Thu, 29 Jan 2026 16:21:03 -0500
Subject: [PATCH] fishing for long-lived token requests

---
 ...tor_09_tokenrequest_annotation_policy.yaml | 34 +++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 manifests/0000_20_kube-apiserver-operator_09_tokenrequest_annotation_policy.yaml

diff --git a/manifests/0000_20_kube-apiserver-operator_09_tokenrequest_annotation_policy.yaml b/manifests/0000_20_kube-apiserver-operator_09_tokenrequest_annotation_policy.yaml
new file mode 100644
index 0000000000..0b576eed61
--- /dev/null
+++ b/manifests/0000_20_kube-apiserver-operator_09_tokenrequest_annotation_policy.yaml
@@ -0,0 +1,34 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicy
+metadata:
+  name: tokenrequest-expiration-annotation-policy
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  failurePolicy: Ignore
+  matchConstraints:
+    resourceRules:
+    - apiGroups:   [""]
+      apiVersions: ["v1"]
+      operations:  ["CREATE"]
+      resources: ["serviceaccounts/token"]
+  validations:
+  - expression: "true"
+  auditAnnotations:
+  - key: "requested-expiration-seconds"
+    valueExpression: "has(object.spec.expirationSeconds) ? string(object.spec.expirationSeconds) : '3600'"
+---
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingAdmissionPolicyBinding
+metadata:
+  name: tokenrequest-expiration-annotation-binding
+  annotations:
+    include.release.openshift.io/ibm-cloud-managed: "true"
+    include.release.openshift.io/self-managed-high-availability: "true"
+    include.release.openshift.io/single-node-developer: "true"
+spec:
+  policyName: tokenrequest-expiration-annotation-policy
+  validationActions: [Deny]
+  matchResources: {}