// Status is filled in by the server and indicates whether the token can be authenticated.
  // +optional
  optional TokenReviewStatus status = 3;
}

// TokenReviewSpec is a description of the token authentication request.
message TokenReviewSpec {
  // Token is the opaque bearer token.
  // +optional
  optional string token = 1;

  // Audiences is a list of the identifiers that the resource server presented

- `install-cni` container
    - copies `istio-cni` and `istio-iptables` to `/opt/cni/bin`
    - creates kubeconfig for the service account the pod runs under
    - periodically copy the K8S JWT token for istio-cni on the host to connect to K8S.
    - injects the CNI plugin config to the CNI config file

  // "csi.storage.k8s.io/serviceAccount.tokens": {
  //   "<audience>": {
  //     "token": <token>,
  //     "expirationTimestamp": <expiration timestamp in RFC3339>,
  //   },
  //   ...
  // }
  //
  // Note: Audience in each TokenRequest should be different and at
  // most one token is empty string. To receive a new token after expiry,
  // RequiresRepublish can be used to trigger NodePublishVolume periodically.
  //

This CA enforcement is done by Istio's CA, and is a requirement for any alternative CAs integrating with Ztunnel.

Note: Ztunnel authenticates to the CA with a Kubernetes Service Account JWT token, which encodes the pod information, which is what enables this.

Ztunnel will request certificates for all identities on the node.
It determines this based on the Workload xDS configuration it receives.

message TokenRequestStatus {
  // Token is the opaque bearer token.
  optional string token = 1;

  // ExpirationTimestamp is the time of expiration of the returned token.
  optional k8s.io.apimachinery.pkg.apis.meta.v1.Time expirationTimestamp = 2;
}

// TokenReview attempts to authenticate a token to a known user.
// Note: TokenReview requests may be cached by the webhook token authenticator

  // "csi.storage.k8s.io/serviceAccount.tokens": {
  //   "<audience>": {
  //     "token": <token>,
  //     "expirationTimestamp": <expiration timestamp in RFC3339>,
  //   },
  //   ...
  // }
  //
  // Note: Audience in each TokenRequest should be different and at
  // most one token is empty string. To receive a new token after expiry,
  // RequiresRepublish can be used to trigger NodePublishVolume periodically.
  //

  // token, and otherwise should reject the token. The audience defaults to the
  // identifier of the apiserver.
  // +optional
  optional string audience = 1;

  // expirationSeconds is the requested duration of validity of the service
  // account token. As the token approaches expiration, the kubelet volume
  // plugin will proactively rotate the service account token. The kubelet will

  // respond with a 410 ResourceExpired error together with a continue token. If the client needs a
  // consistent list, it must restart their list without the continue field. Otherwise, the client may
  // send another list request with the token received with the 410 error, the server will respond with