Improved service account tokens

• One-line enhancement description (can be used as a release note): Improve security of service account tokens
• Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-auth/1205-bound-service-account-tokens
• Primary contact (assignee): @zshihang
• Responsible SIGs: auth
• Enhancement target (which target equals to which milestone):
  • feature gates: TokenRequest / TokenRequestProjection
    • One-line description: Pods can request service account tokens with improved security.
    • Documentation: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection
    • Alpha: v1.10
    • Beta: v1.12
    • GA: v1.20
      • PR: mv TokenRequest and TokenRequestProjection to GA kubernetes#93258
      • Docs: TokenRequest and TokenRequestProjection are GA now website#24823
  • feature gate: RootCAConfigMap
    • One-line description: Cluster CA information is available in a configmap in each namespace
    • Alpha: v1.13 (part of BoundServiceAccountTokenVolume)
    • Beta: v1.20
      • PR: separate RootCAConfigMap from BoundServiceAccountTokenVolume kubernetes#96197
      • Docs: separate RootCAConfigMap from BoundServiceAccountToken and Beta website#24909
    • GA: v1.21
      • PR: move RootCAConfigMap to ga kubernetes#98033
      • Docs: update doc for BoundServiceAccountTokenVolume and RootCAConfigMap website#27082
  • feature gate: BoundServiceAccountTokenVolume
    • One-line description: Auto-configured service account tokens in pods use projected tokens
    • Alpha: v1.13
    • Beta: v1.21
      • Docs: update doc for BoundServiceAccountTokenVolume and RootCAConfigMap website#27082
    • Stable: v1.22
      • PR: TODO
      • Docs: TODO