docs for kubeconfig expiring tokens

review changes

content/rancher/v2.x/en/api/api-tokens/_index.md

@@ -7,6 +7,7 @@ By default, some cluster-level API tokens are generated with infinite time-to-li
 
 You can deactivate API tokens by deleting them or by deactivating the user account.
 
+### Deleting tokens
 To delete a token,
 
 1. Go to the list of all tokens in the Rancher API view at `https://<Rancher-Server-IP>/v3/tokens`.
@@ -19,7 +20,7 @@ Here is the complete list of tokens that are generated with `ttl=0`:
 
 | Token | Description |
 |-------|-------------|
-| `kubeconfig-*` | Kubeconfig token |
+| `kubeconfig-*` | Kubeconfig token | 
 | `kubectl-shell-*` | Access to `kubectl` shell in the browser |
 | `agent-*` | Token for agent deployment |
 | `compose-token-*` | Token for compose |
@@ -27,3 +28,21 @@ Here is the complete list of tokens that are generated with `ttl=0`:
 | `*-pipeline*` | Pipeline token for project |
 | `telemetry-*` | Telemetry token |
 | `drain-node-*` | Token for drain (we use `kubectl` for drain because there is no native Kubernetes API) |
+
+
+### Setting TTL on Kubeconfig Tokens
+_**Available as of v2.4.6**_
+
+Starting Rancher v2.4.6, admins can set a global TTL on Kubeconfig tokens. Once the token expires the kubectl command will require the user to authenticate to Rancher.
+
+1. Disable the kubeconfig-generate-token setting in the Rancher API view at `https://<Rancher-Server-IP/v3/settings/kubeconfig-generate-token`. This setting instructs Rancher to no longer automatically generate a token when a user clicks on download a kubeconfig file. The kubeconfig file will now provide a command to login to Rancher.
+
+2. Edit the setting and set the value to `false`. 
+
+3. Go to setting kubeconfig-token-ttl-minutes in the Rancher API view at `https://<Rancher-Server-IP/v3/settings/kubeconfig-token-ttl-minutes`. By default, kubeconfig-token-ttl-minutes is 960 (16 hours).
+
+4. Edit the setting and set the value to desired duration in minutes.
+_**Note:**_ This value cannot exceed max-ttl of API tokens.(`https://<Rancher-Server-IP/v3/settings/auth-token-max-ttl-minutes`). In Rancher v2.4.6, auth-token-max-ttl-minutes is set to 1440 (24 hours) by default. Starting Rancher v2.4.7, auth-token-max-ttl-minutes would default to 0 allowing tokens to never expire, similar to v2.4.5.
+
+
+ 

content/rancher/v2.x/en/cluster-admin/cluster-access/ace/_index.md

@@ -13,6 +13,11 @@ This kubeconfig file and its contents are specific to the cluster you are viewin
 
 After you download the kubeconfig file, you will be able to use the kubeconfig file and its Kubernetes [contexts](https://kubernetes.io/docs/reference/kubectl/cheatsheet/#kubectl-context-and-configuration) to access your downstream cluster.
 
+_Available as of v2.4.6_ 
+
+If admins have [enforced TTL on kubeconfig tokens](../../api/api-tokens/#setting-ttl-on-kubeconfig-tokens), the kubeconfig file requires [rancher cli](../cli) to be present in your PATH. 
+
+
 ### Two Authentication Methods for RKE Clusters
 
 If the cluster is not an [RKE cluster,]({{<baseurl>}}/rancher/v2.x/en/cluster-provisioning/rke-clusters/) the kubeconfig file allows you to access the cluster in only one way: it lets you be authenticated with the Rancher server, then Rancher allows you to run kubectl commands on the cluster.

content/rancher/v2.x/en/quick-start-guide/cli/_index.md

@@ -20,3 +20,20 @@ Configure kubectl by visiting your cluster in the Rancher Web UI then clicking o
 
 Run `kubectl cluster-info` or `kubectl get pods` successfully.
 
+_**Available as of v2.4.6**_ 
+
+_Requirements_
+
+If admins have [enforced TTL on kubeconfig tokens](../../api/api-tokens/#setting-ttl-on-kubeconfig-tokens), the kubeconfig file requires [rancher cli](../cli) to be present in your PATH when you run `kubectl`. Otherwise, you’ll see error like: 
+`Unable to connect to the server: getting credentials: exec: exec: "rancher": executable file not found in $PATH`. 
+
+This feature enables kubectl to authenticate with rancher server and get new kubeconfig token when required. Following auth providers are currently supported: 
+
+1. Local
+2. Active Directory
+3. FreeIpa, OpenLdap 
+4. SAML providers - Ping, Okta, ADFS, Keycloak, Shibboleth 
+
+When you first run kubectl like, `kubectl get pods` - it will ask you to pick an auth provider and login with rancher server. 
+The kubeconfig token is cached in the path where you run kubectl under `./.cache/token`. This token is valid till [it expires](../../api/api-tokens/#expiration-period), or [gets deleted from rancher server](../../api/api-tokens/#deleting-tokens) 
+Upon expiration, the next `kubectl get pods` will ask you to login with rancher server again. 

content/rancher/v2.x/en/user-settings/api-keys/_index.md

@@ -28,6 +28,9 @@ API Keys are composed of four components:
 3. **Optional:** Enter a description for the API key and select an expiration period or a scope. We recommend setting an expiration date.
 
     The API key won't be valid after expiration. Shorter expiration periods are more secure.
+
+    _Available as of v2.4.6_
+    Expiration period will be bound by `v3/settings/auth-token-max-ttl-minutes`. If it exceeds the max-ttl, API key will be created with max-ttl as the expiration period.
     
     A scope will limit the API key so that it will only work against the Kubernetes API of the specified cluster. If the cluster is configured with an Authorized Cluster Endpoint, you will be able to use a scoped token directly against the cluster's API without proxying through the Rancher server. See [Authorized Cluster Endpoints]({{<baseurl>}}/rancher/v2.x/en/overview/architecture/#4-authorized-cluster-endpoint) for more information.