-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPBUGS-42593: hardening service account automount #327
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #327 +/- ##
=======================================
Coverage 27.60% 27.61%
=======================================
Files 87 87
Lines 7499 7500 +1
=======================================
+ Hits 2070 2071 +1
Misses 5228 5228
Partials 201 201
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Signed-off-by: Mohamed Mahmoud <[email protected]>
@@ -321,6 +322,7 @@ func LoadAndConfigureBpfmanDs(config *corev1.ConfigMap, path string) *appsv1.Dae | |||
staticBpfmanDeployment.Spec.Template.ObjectMeta.Annotations["bpfman.io.bpfman.agent.metricaddr"] = bpfmanMetricAddr | |||
staticBpfmanDeployment.Name = internal.BpfmanDsName | |||
staticBpfmanDeployment.Namespace = config.Namespace | |||
staticBpfmanDeployment.Spec.Template.Spec.AutomountServiceAccountToken = ptr.To(true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This may be a stupid question, but I'm trying to understand this change.
If we weren't automounting the service account token before, were we manually mounting it or passing it in somehow? And, If so, should that mechanism be removed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is a valid question for the manual token creation there should have been
oc create token <token-name>
somewhere in the process but I couldn't find that
so to me this looked like a bug that was waiting to happen when trying to mount secrets volume /var/run/secrets/kubernetes.io/serviceaccount
for specific serviceAccount
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for looking into it. LGTM.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/LGTM
Address security warning about
automount service account token – set to FALSE