Service Account Token Volume
Some services, such as Istio and Envoy's Secret Discovery Service (SDS), take advantage of a new feature in Kubernetes 1.12+, Service Account Token Volume Projection.
As of kOps 1.20, the API servers will have the ServiceAccount issuers configured correctly and you should not do any custom configuration. The API server will be used for discovery by default. As of kOps 1.21, you can also publish issuer discovery metadata publically. See the relevant section in the cluster spec.