Improve error message for projected tokens when API is not enabled

[liggitt]

What type of PR is this?
/kind cleanup

What this PR does / why we need it:
Improves the error message returned from the kubelet if a token cannot be fetched because the API server doesn't have TokenRequest APIs enabled

Which issue(s) this PR fixes:
xref #83189

Does this PR introduce a user-facing change?:

NONE

/sig auth
/cc @mikedanese

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pkg/kubelet/token/OWNERS [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mikedanese]

I guess this could give an inccorrect error if TokenRequest was enabled on the apiserver after kubelet startup, and the service account the pod is running as doesn't exist.

[mikedanese]

/lgtm

[tariq1890]

@liggitt @mikedanese Is it possible that this error may be thrown when BoundServiceAccountTokenVolume disabled despite TokenRequest being enabled.

[liggitt]

BoundServiceAccountTokenVolume enables/disables auto-injected projected token volumes for service account tokens. A pod can manually specify a projected token volume as well.

The kubelet doesn't care whether a projected token volume was auto-injected or manually specified in the pod. When it encounters that type of volume, it makes a token request to the API server to get a token to mount into the pod. If the token request APIs are unavailable, the kubelet will display this error.

[tariq1890]

Thanks for the clarification @liggitt :)