Kubernetes stopped creating secrets with tokens for service accounts in version 1.24. Less privileged tokens are still being created in OpenShift 4.11 and 4.12, but this is not explained clearly.

1. https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html#ocp-4-11-notable-technical-changes [LegacyServiceAccountTokenNoAutoGeneration is on by default]
2. https://docs.openshift.com/container-platform/4.11/authentication/using-service-accounts-in-applications.html#auto-generated-sa-token-secrets_using-service-accounts
3. https://docs.openshift.com/container-platform/4.12/authentication/using-service-accounts-in-applications.html#auto-generated-sa-token-secrets_using-service-accounts

The links above initially state "a service account token secret is no longer automatically generated," but later point out that a service account token is still created. The release notes state that "These tokens do not work," but providing one of these tokens does allow for authenticating and listing API endpoints.

The following changes would improve the documentation for security-sensitive users:
1. Remove the contradictory statements that tokens are no longer created
2. Remove the statement that the tokens do not work.
3. Explain why OpenShift continues to generate tokens when upstream Kubernetes does not.
4. Describe the more limited privileges of the tokens still being generated
5. If possible, provide more detail about the plans to remove these tokens in future releases.