Do not mount serviceaccount token in httpd container
The following discussion from !6 (merged) should be addressed:
-
@alossent started a discussion: (+1 comment) Security consideration (make it a follow-up issue if solution is not trivial): by default, Kubernetes mounts the serviceAccount token in pod containers
This MUST NOT happen on the httpd container, as user applications would then be able to read it and use the serviceAccount to access the Kubernetes API.
The serviceAccount token only needs to be mounted in the
webeos-config-manager
sidecar container, to retrieve the list of webeosSites to serve.See
automountServiceAccountToken
to disable automatic injection of the token. Since this is a field per pod, we must disable it for the whole pod and then explicitly mount the token in thewebeos-config-manager
sidecar container only. The service account token volume projection may be useful for that.