// audiences is the set of acceptable audiences the JWT must be issued to.
	// At least one of the entries must match the "aud" claim in presented JWTs.
	// Same value as the --oidc-client-id flag (though this field supports an array).
	// Required to be non-empty.
	// +required
	Audiences []string `json:"audiences"`

// aud: list of audiences to check. If empty 1st party tokens will be checked.
func ValidateK8sJwt(kubeClient kubernetes.Interface, targetToken string, aud []string) (security.KubernetesInfo, error) {
	tokenReview := &k8sauth.TokenReview{
		Spec: k8sauth.TokenReviewSpec{
			Token: targetToken,
		},
	}
	if aud != nil {
		tokenReview.Spec.Audiences = aud
	}

    blockOwnerDeletion: true
    controller: true
    kind: kindValue
    name: nameValue
    uid: uidValue
  resourceVersion: resourceVersionValue
  selfLink: selfLinkValue
  uid: uidValue
spec:
  audiences:
  - audiencesValue
  boundObjectRef:
    apiVersion: apiVersionValue
    kind: kindValue
    name: nameValue
    uid: uidValue
  expirationSeconds: 4
status:
  expirationTimestamp: "2002-01-01T01:01:01Z"

    blockOwnerDeletion: true
    controller: true
    kind: kindValue
    name: nameValue
    uid: uidValue
  resourceVersion: resourceVersionValue
  selfLink: selfLinkValue
  uid: uidValue
spec:
  audiences:
  - audiencesValue
  boundObjectRef:
    apiVersion: apiVersionValue
    kind: kindValue
    name: nameValue
    uid: uidValue
  expirationSeconds: 4
status:
  expirationTimestamp: "2002-01-01T01:01:01Z"

        "time": "2004-01-01T01:01:01Z",
        "fieldsType": "fieldsTypeValue",
        "fieldsV1": {},
        "subresource": "subresourceValue"
      }
    ]
  },
  "spec": {
    "audiences": [
      "audiencesValue"
    ],
    "expirationSeconds": 4,
    "boundObjectRef": {
      "kind": "kindValue",
      "apiVersion": "apiVersionValue",
      "name": "nameValue",
      "uid": "uidValue"
    }

	OIDCSigningAlgs             []string
	ServiceAccountKeyFiles      []string
	ServiceAccountLookup        bool
	ServiceAccountIssuers       []string
	APIAudiences                authenticator.Audiences
	WebhookTokenAuthnConfigFile string
	WebhookTokenAuthnVersion    string
	WebhookTokenAuthnCacheTTL   time.Duration
	// WebhookRetryBackoff specifies the backoff parameters for the authentication webhook retry logic.

        "properties": {
          "audiences": {

}

func recordAuthenticationMetrics(ctx context.Context, resp *authenticator.Response, ok bool, err error, apiAudiences authenticator.Audiences, authStart time.Time, authFinish time.Time) {
	var resultLabel string

	switch {
	case err != nil || (resp != nil && !audiencesAreAcceptable(apiAudiences, resp.Audiences)):
		resultLabel = errorLabel
	case !ok:
		resultLabel = failureLabel
	default:
		resultLabel = successLabel

	for _, tokenRequest := range csiDriver.Spec.TokenRequests {
		audience := tokenRequest.Audience
		audiences := []string{audience}
		if audience == "" {
			audiences = []string{}
		}
		tr, err := c.plugin.serviceAccountTokenGetter(c.pod.Namespace, c.pod.Spec.ServiceAccountName, &authenticationv1.TokenRequest{
			Spec: authenticationv1.TokenRequestSpec{
				Audiences:         audiences,
				ExpirationSeconds: tokenRequest.ExpirationSeconds,

	*genericregistry.Store
	Token *TokenREST
}

// NewREST returns a RESTStorage object that will work against service accounts.
func NewREST(optsGetter generic.RESTOptionsGetter, issuer token.TokenGenerator, auds authenticator.Audiences, max time.Duration, podStorage, secretStorage, nodeStorage rest.Getter, extendExpiration bool) (*REST, error) {
	store := &genericregistry.Store{
		NewFunc:                   func() runtime.Object { return &api.ServiceAccount{} },