As part of service-account-signing-key rotation, user might need to enforce a limited max expiration duration for the service account tokens to ensure a graceful period after which all service accounts tokens are signed with the new private key.

The goal is to allow a graceful rotation and permit old tokens validation until the rotation is complete (i.e. all tokens rotated and signed with the new key)

Requirements:

• expose the ability on the HostedCluster API to specify max expiration duration for KAS service account tokens (via an annotation or API field)
• set the '--service-account-max-token-expiration' flag on the kube-apiserver