OCPBUGS-42593: hardening service account automount #327
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #327 +/- ##
=======================================
Coverage 27.60% 27.61%
=======================================
Files 87 87
Lines 7499 7500 +1
=======================================
+ Hits 2070 2071 +1
Misses 5228 5228
Partials 201 201
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Signed-off-by: Mohamed Mahmoud <mmahmoud@redhat.com>
| @@ -321,6 +322,7 @@ func LoadAndConfigureBpfmanDs(config *corev1.ConfigMap, path string) *appsv1.Dae | |||
| staticBpfmanDeployment.Spec.Template.ObjectMeta.Annotations["bpfman.io.bpfman.agent.metricaddr"] = bpfmanMetricAddr | |||
| staticBpfmanDeployment.Name = internal.BpfmanDsName | |||
| staticBpfmanDeployment.Namespace = config.Namespace | |||
| staticBpfmanDeployment.Spec.Template.Spec.AutomountServiceAccountToken = ptr.To(true) | |||
There was a problem hiding this comment.
This may be a stupid question, but I'm trying to understand this change.
If we weren't automounting the service account token before, were we manually mounting it or passing it in somehow? And, If so, should that mechanism be removed?
There was a problem hiding this comment.
this is a valid question for the manual token creation there should have been
oc create token <token-name> somewhere in the process but I couldn't find that
so to me this looked like a bug that was waiting to happen when trying to mount secrets volume /var/run/secrets/kubernetes.io/serviceaccount for specific serviceAccount
There was a problem hiding this comment.
Thanks for looking into it. LGTM.
Address security warning about
automount service account token – set to FALSE