In OCP, users can invalidate public keys used to sign Service Account tokens. When this happens, all the tokens that have signed with this key will be invalidated and requests made with them will result in Unauthorized errors.

Today, kubelet doesn't recover instantly from this scenario, it has to wait for the tokens to become expired to refresh them which usually causes a lot of disruption. For instance, we had to open this bug https://issues.redhat.com/browse/OCPBUGS-8529 to reduce the disruption this was causing in CI.

Ideally we would want kubelet to refresh tokens whenever they become invalid because the public keys were invalidated.

More info on that can be found in: https://redhat-internal.slack.com/archives/CK1AE4ZCK/p1678213047033239