-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: enable/disable automountServiceAccountToken at Pod level #3575
base: main
Are you sure you want to change the base?
Conversation
Hi @darkweaver87. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: darkweaver87 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@@ -388,3 +388,6 @@ enableServiceMutatorWebhook: true | |||
|
|||
# serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs. | |||
serviceTargetENISGTags: | |||
|
|||
# Automount API credentials for a Service Account at Pod level. | |||
automountServiceAccountToken: true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would have the default value as false
to avoid changing existing user behavior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK :-) done
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I've taken a further look here, looks like the automountServiceAccountToken
is an opt-out for both pod and SA: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting. And if automountServiceAccountToken
is specified both on pod and SA level, the pod level one will take precedence.
I'm just trying to avoid breaking change to existing users here. Do you mind changing the automountServiceAccountToken
at pod level to an if condition? If it's specified in the values.yaml, we populate in the manifest, otherwise leave it blank. And in the values.yaml
let's just comment out this entry.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes you're right. I applied your recommendation without thinking. The default in kubernetes, if not explicitly set, is true
for both Pod
and ServiceAccount
.
Usually I set it to false
at ServiceAccount
level to avoid automatic mount and true
at Pod
level to allow pods which really need it. It's particularly useful for the default service account in a namespace.
Some security tools check for this: https://hub.armosec.io/docs/c-0034.
Actually, at first, I wanted to make it not configurable. What do you think about removing the value and just set it hardly to false
at ServiceAccount
level and true
at Pod
level ? It won't be breaking in anyway except if people is using aws-load-balancer-controller
ServiceAccount
for another purpose that this helm chart ...
Or maybe another option might be to have a setAutomountServiceAccountToken
which if is true
set it to the values I was mentioning previously.
384be1a
to
48046dc
Compare
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Description
Some people may want to disable mounting API credentials at ServiceAccount level but still want controller Pod to have automatically access to resources defined in RBACs.
This PR makes it customizable.
Checklist
README.md
, or thedocs
directory)BONUS POINTS checklist: complete for good vibes and maybe prizes?! 馃く