Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: set automountServiceAccountToken to false when default service account is used #172

Merged
merged 1 commit into from
Jul 23, 2024
Merged

fix: set automountServiceAccountToken to false when default service account is used #172

merged 1 commit into from
Jul 23, 2024

Conversation

wittdennis
Copy link
Contributor

@wittdennis wittdennis commented Jul 11, 2024
edited
Loading

Description of the change

Sets automountServiceAccountToken: false when the default service account is used.

Benefits

This would lead to a more secure setup.

Possible drawbacks

None that come to my mind

Additional information

We follow the CIS Kubernetes Benchmark recommendations for a secure Kubernetes cluster setup.

As per point 5.1.5 Ensure that default service accounts are not actively used:
The default service account should not be used to ensure that rights granted to applications can be more easily audited and reviewed.

The suggested remediation is:
Create explicit service accounts wherever a Kubernetes workload requires specific access to the Kubernetes API server. Modify the configuration of each default service account to include this value:

automountServiceAccountToken: false

Checklist

  • Chart version bumped in Chart.yaml according to semver.
  • Variables are documented in the README.md

@wittdennis wittdennis requested a review from dirsigler as a code owner July 11, 2024 09:22
@tibuntu
Copy link

tibuntu commented Jul 17, 2024

@dirsigler any chance this is going to be reviewed soon?

dirsigler
dirsigler approved these changes Jul 23, 2024
View reviewed changes
Copy link
Owner

@dirsigler dirsigler left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@dirsigler
Copy link
Owner

Thank you very much for your patience and the contribution!

@dirsigler dirsigler merged commit 59b24d8 into dirsigler:main Jul 23, 2024
4 checks passed
@wittdennis wittdennis deleted the fix/prevent-automount-serviceaccounttoken-for-default-serviceaccount branch July 23, 2024 11:16
@wittdennis wittdennis mentioned this pull request Aug 1, 2024
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dirsigler dirsigler dirsigler approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wittdennis @tibuntu @dirsigler