cert-manager: restrict automount of service account tokens (!207) · Merge requests · kubernetes / automation / releases / cern-magnum

Jack Charlie Munday requested to merge cert-mang-automount-sa into master Jun 04, 2024

cert-manager does need to be able to speak to the kube apiserver so the token is required, however best practise is to do this using a projected volume.

Using automountServiceAccount: true token will mount the token to all containers whether or not they actually need access (i.e. initContainers / sidecars). Using a projected volume & volumeMounts ensures that we follow principle of least privledge.

Restricting the automounting of service account tokens would be a good contender for a opa / kyverno policy to add.

For more info see here.

Closes #91 (closed)

cert-manager: restrict automount of service account tokens

Merge request reports