To ensure the API Server utilizes its own key pair,
edit the openshift-kube-apiserver configmap
and set the serviceAccountPublicKeyFiles parameter to the public
key file for service accounts:
...
"serviceAccountPublicKeyFiles":[
"/etc/kubernetes/static-pod-resources/configmaps/sa-token-signing-certs"
],
...