OCPBUGS-42593: hardening service account automount

Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com>
bpfman · Oct 23, 2024 · 02a49cc · 02a49cc
1 parent 0c0ba31
commit 02a49cc
Showing 1 changed file with 2 additions and 0 deletions.
diff --git a/controllers/bpfman-operator/configmap.go b/controllers/bpfman-operator/configmap.go
@@ -29,6 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/utils/ptr"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/event"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
@@ -321,6 +322,7 @@ func LoadAndConfigureBpfmanDs(config *corev1.ConfigMap, path string) *appsv1.Dae
 	staticBpfmanDeployment.Spec.Template.ObjectMeta.Annotations["bpfman.io.bpfman.agent.metricaddr"] = bpfmanMetricAddr
 	staticBpfmanDeployment.Name = internal.BpfmanDsName
 	staticBpfmanDeployment.Namespace = config.Namespace
+	staticBpfmanDeployment.Spec.Template.Spec.AutomountServiceAccountToken = ptr.To(true)
 	for cindex, container := range staticBpfmanDeployment.Spec.Template.Spec.Containers {
 		if container.Name == internal.BpfmanContainerName {
 			staticBpfmanDeployment.Spec.Template.Spec.Containers[cindex].Image = bpfmanImage