kubernetes-sigs · k8s-ci-robot · May 8, 2026 · May 7, 2026 · May 8, 2026
diff --git a/docs/book/src/topics/workload-identity.md b/docs/book/src/topics/workload-identity.md
@@ -42,6 +42,7 @@ you have access to Azure cloud services.
   - `SERVICE_ACCOUNT_NAME`: Name of the capz-manager or azureserviceoperator-default k8s service account. Default is `capz-manager` for CAPZ and `azureserviceoperator-default` for ASO.
   - `SERVICE_ACCOUNT_ISSUER`: Path of the Azure storage container created in the previous step, specifically:
     - `"https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/"`
+    - If unset, the cluster template falls back to kubeadm's default `https://kubernetes.default.svc.cluster.local`. Set it to your Azure storage container URL when running `clusterctl generate cluster ...` so projected service account tokens in the workload cluster are signed with an AAD-discoverable issuer.
 
   Create two federated identity credentials, one for CAPZ and one for ASO, by following [these instructions](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html). You'll need to set `SERVICE_ACCOUNT_NAME` and `SERVICE_ACCOUNT_NAMESPACE` to different values for each credential.
   Use either `user-assigned-identity` or `AD application` when creating the credentials, and add the `contributor` role to each.

diff --git a/templates/cluster-template-aad.yaml b/templates/cluster-template-aad.yaml
diff --git a/templates/cluster-template-apiserver-ilb.yaml b/templates/cluster-template-apiserver-ilb.yaml
diff --git a/templates/cluster-template-azure-bastion.yaml b/templates/cluster-template-azure-bastion.yaml
diff --git a/templates/cluster-template-azure-cni-v1.yaml b/templates/cluster-template-azure-cni-v1.yaml
diff --git a/templates/cluster-template-dual-stack.yaml b/templates/cluster-template-dual-stack.yaml
diff --git a/templates/cluster-template-edgezone.yaml b/templates/cluster-template-edgezone.yaml
diff --git a/templates/cluster-template-ephemeral.yaml b/templates/cluster-template-ephemeral.yaml
diff --git a/templates/cluster-template-flatcar-sysext.yaml b/templates/cluster-template-flatcar-sysext.yaml
diff --git a/templates/cluster-template-flatcar.yaml b/templates/cluster-template-flatcar.yaml
diff --git a/templates/cluster-template-ipv6.yaml b/templates/cluster-template-ipv6.yaml
diff --git a/templates/cluster-template-machinepool-windows.yaml b/templates/cluster-template-machinepool-windows.yaml
diff --git a/templates/cluster-template-machinepool.yaml b/templates/cluster-template-machinepool.yaml
diff --git a/templates/cluster-template-nvidia-gpu.yaml b/templates/cluster-template-nvidia-gpu.yaml
diff --git a/templates/cluster-template-private.yaml b/templates/cluster-template-private.yaml
diff --git a/templates/cluster-template-windows-apiserver-ilb.yaml b/templates/cluster-template-windows-apiserver-ilb.yaml
diff --git a/templates/cluster-template-windows.yaml b/templates/cluster-template-windows.yaml
diff --git a/templates/cluster-template.yaml b/templates/cluster-template.yaml
@@ -48,7 +48,8 @@ spec:
   kubeadmConfigSpec:
     clusterConfiguration:
       apiServer:
-        extraArgs: {}
+        extraArgs:
+          service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local}
         timeoutForControlPlane: 20m
       controllerManager:
         extraArgs:

diff --git a/templates/flavors/base/cluster-template.yaml b/templates/flavors/base/cluster-template.yaml
@@ -58,7 +58,8 @@ spec:
     clusterConfiguration:
       apiServer:
         timeoutForControlPlane: 20m
-        extraArgs: {}
+        extraArgs:
+          service-account-issuer: ${SERVICE_ACCOUNT_ISSUER:-https://kubernetes.default.svc.cluster.local}
       controllerManager:
         extraArgs:
           allocate-node-cidrs: "false"

diff --git a/templates/test/ci/cluster-template-prow-apiserver-ilb-custom-images.yaml b/templates/test/ci/cluster-template-prow-apiserver-ilb-custom-images.yaml
diff --git a/templates/test/ci/cluster-template-prow-apiserver-ilb.yaml b/templates/test/ci/cluster-template-prow-apiserver-ilb.yaml
diff --git a/templates/test/ci/cluster-template-prow-azl3.yaml b/templates/test/ci/cluster-template-prow-azl3.yaml
diff --git a/templates/test/ci/cluster-template-prow-azure-cni-v1.yaml b/templates/test/ci/cluster-template-prow-azure-cni-v1.yaml
diff --git a/templates/test/ci/cluster-template-prow-ci-version-azl3.yaml b/templates/test/ci/cluster-template-prow-ci-version-azl3.yaml
diff --git a/templates/test/ci/cluster-template-prow-ci-version-dra.yaml b/templates/test/ci/cluster-template-prow-ci-version-dra.yaml
diff --git a/templates/test/ci/cluster-template-prow-ci-version-dual-stack.yaml b/templates/test/ci/cluster-template-prow-ci-version-dual-stack.yaml
diff --git a/templates/test/ci/cluster-template-prow-ci-version-ipv6.yaml b/templates/test/ci/cluster-template-prow-ci-version-ipv6.yaml
diff --git a/templates/test/ci/cluster-template-prow-ci-version-md-and-mp.yaml b/templates/test/ci/cluster-template-prow-ci-version-md-and-mp.yaml
diff --git a/templates/test/ci/cluster-template-prow-ci-version-windows.yaml b/templates/test/ci/cluster-template-prow-ci-version-windows.yaml
diff --git a/templates/test/ci/cluster-template-prow-ci-version.yaml b/templates/test/ci/cluster-template-prow-ci-version.yaml
diff --git a/templates/test/ci/cluster-template-prow-custom-vnet.yaml b/templates/test/ci/cluster-template-prow-custom-vnet.yaml
diff --git a/templates/test/ci/cluster-template-prow-dalec-custom-builds.yaml b/templates/test/ci/cluster-template-prow-dalec-custom-builds.yaml
diff --git a/templates/test/ci/cluster-template-prow-dual-stack.yaml b/templates/test/ci/cluster-template-prow-dual-stack.yaml
diff --git a/templates/test/ci/cluster-template-prow-edgezone.yaml b/templates/test/ci/cluster-template-prow-edgezone.yaml
diff --git a/templates/test/ci/cluster-template-prow-flatcar-sysext.yaml b/templates/test/ci/cluster-template-prow-flatcar-sysext.yaml
diff --git a/templates/test/ci/cluster-template-prow-ipv6.yaml b/templates/test/ci/cluster-template-prow-ipv6.yaml
diff --git a/templates/test/ci/cluster-template-prow-machine-pool-ci-version-multi-zone.yaml b/templates/test/ci/cluster-template-prow-machine-pool-ci-version-multi-zone.yaml
diff --git a/templates/test/ci/cluster-template-prow-machine-pool-ci-version-windows.yaml b/templates/test/ci/cluster-template-prow-machine-pool-ci-version-windows.yaml
diff --git a/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml b/templates/test/ci/cluster-template-prow-machine-pool-ci-version.yaml
diff --git a/templates/test/ci/cluster-template-prow-machine-pool-flex.yaml b/templates/test/ci/cluster-template-prow-machine-pool-flex.yaml
diff --git a/templates/test/ci/cluster-template-prow-machine-pool-windows.yaml b/templates/test/ci/cluster-template-prow-machine-pool-windows.yaml