make MinTokenExpiration configurable by cli flag

[everpeace]

Issue #, if available: #155

Description of changes:

• Changed MinTokenExpiration from const to var
• Introduced a cli flag --min-token-expiration to configure MinTokenExpiration with validation(it must be at least 10min).

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

[jaypipes]

@micahhausler any reason why MinimumTokenExpiration was set to a constant?

@everpeace can you elaborate on the use case that a configurable minimum token expiration value is providing?

[everpeace]

I want to make k8s SA tokens refresh in roughly the same frequency as the default AWS session expiration.

When we assume some security breach scenario, a longer expiration k8s token allows attackers more chances to impersonate. AWS sessions can revoke timely on the AWS management console, but revoking k8s SA tokens timely is relatively difficult because the cluster operator must rotate the signing key of SA tokens, especially in the on-premise cluster cases.

Thus, I think making the value configurable allows users to be able to control their security risk by themselves.

What do you think?

[everpeace]

@jaypipes @micahhausler could you check my PR again??

[micahhausler]

Hey sorry, I have no objection to adding this flag. I'd rather see a value plumbed down than a global variable.