From 170db9393d4e91c24da29c36e3186726194892fc Mon Sep 17 00:00:00 2001 From: MoritzWeber Date: Mon, 11 Mar 2024 16:42:38 +0100 Subject: [PATCH] feat: Disable automatic service account mounting Service accounts aren't needed for most of the services since they don't talk to the Kubernetes API. For increased security, we disable the automatic mounting of secrets. --- helm/templates/backend/postgres.deployment.yaml | 1 + helm/templates/docs/docs.deployment.yaml | 1 + helm/templates/frontend/frontend.deployment.yaml | 1 + helm/templates/grafana/nginx.deployment.yaml | 1 + helm/templates/guacamole/guacamole.deployment.yaml | 1 + helm/templates/guacamole/guacd.deployment.yaml | 1 + helm/templates/guacamole/postgres.deployment.yaml | 1 + helm/templates/mock/oauth.deployment.yaml | 1 + helm/templates/prometheus/nginx.deployment.yaml | 1 + helm/templates/prometheus/prometheus.deployment.yaml | 1 + 10 files changed, 10 insertions(+) diff --git a/helm/templates/backend/postgres.deployment.yaml b/helm/templates/backend/postgres.deployment.yaml index a567461fb9..02306a6aa9 100644 --- a/helm/templates/backend/postgres.deployment.yaml +++ b/helm/templates/backend/postgres.deployment.yaml @@ -20,6 +20,7 @@ spec: labels: id: {{ .Release.Name }}-deployment-backend-postgres spec: + automountServiceAccountToken: false {{ if not .Values.development }} volumes: - name: {{ .Release.Name }}-data diff --git a/helm/templates/docs/docs.deployment.yaml b/helm/templates/docs/docs.deployment.yaml index d775c47102..50e1407452 100644 --- a/helm/templates/docs/docs.deployment.yaml +++ b/helm/templates/docs/docs.deployment.yaml @@ -17,6 +17,7 @@ spec: labels: id: {{ .Release.Name }}-deployment-docs spec: + automountServiceAccountToken: false {{- include "capellacollab.pod.spec" . | indent 6 -}} containers: - name: {{ .Release.Name }}-docs diff --git a/helm/templates/frontend/frontend.deployment.yaml b/helm/templates/frontend/frontend.deployment.yaml index db1636692e..d1730f28f2 100644 --- a/helm/templates/frontend/frontend.deployment.yaml +++ b/helm/templates/frontend/frontend.deployment.yaml @@ -21,6 +21,7 @@ spec: annotations: checksum/config-promtail: {{ include (print $.Template.BasePath "/promtail" "/promtail.configmap.yaml") . | sha256sum }} spec: + automountServiceAccountToken: false volumes: {{ if .Values.loki.enabled }} - name: logs diff --git a/helm/templates/grafana/nginx.deployment.yaml b/helm/templates/grafana/nginx.deployment.yaml index b4e8d77c82..0571333358 100644 --- a/helm/templates/grafana/nginx.deployment.yaml +++ b/helm/templates/grafana/nginx.deployment.yaml @@ -22,6 +22,7 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/grafana/nginx.configmap.yaml") . | sha256sum }} spec: + automountServiceAccountToken: false volumes: - name: {{ .Release.Name }}-grafana-nginx configMap: diff --git a/helm/templates/guacamole/guacamole.deployment.yaml b/helm/templates/guacamole/guacamole.deployment.yaml index 0be4cac055..b2c86ec891 100644 --- a/helm/templates/guacamole/guacamole.deployment.yaml +++ b/helm/templates/guacamole/guacamole.deployment.yaml @@ -21,6 +21,7 @@ spec: annotations: checksum/config-promtail: {{ include (print $.Template.BasePath "/promtail" "/promtail.configmap.yaml") . | sha256sum }} spec: + automountServiceAccountToken: false volumes: {{ if .Values.loki.enabled }} - name: unused diff --git a/helm/templates/guacamole/guacd.deployment.yaml b/helm/templates/guacamole/guacd.deployment.yaml index f54b529a38..f58dd97590 100644 --- a/helm/templates/guacamole/guacd.deployment.yaml +++ b/helm/templates/guacamole/guacd.deployment.yaml @@ -21,6 +21,7 @@ spec: annotations: checksum/config-promtail: {{ include (print $.Template.BasePath "/promtail" "/promtail.configmap.yaml") . | sha256sum }} spec: + automountServiceAccountToken: false volumes: {{ if .Values.loki.enabled }} - name: logs diff --git a/helm/templates/guacamole/postgres.deployment.yaml b/helm/templates/guacamole/postgres.deployment.yaml index ec75a990c6..4327f614e7 100644 --- a/helm/templates/guacamole/postgres.deployment.yaml +++ b/helm/templates/guacamole/postgres.deployment.yaml @@ -24,6 +24,7 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/guacamole" "/postgres.configmap.yaml") . | sha256sum }} spec: + automountServiceAccountToken: false volumes: - name: {{ .Release.Name }}-data persistentVolumeClaim: diff --git a/helm/templates/mock/oauth.deployment.yaml b/helm/templates/mock/oauth.deployment.yaml index bc647f9ec1..4fd68a1137 100644 --- a/helm/templates/mock/oauth.deployment.yaml +++ b/helm/templates/mock/oauth.deployment.yaml @@ -22,6 +22,7 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/mock/oauth.configmap.yaml") . | sha256sum }} spec: + automountServiceAccountToken: false volumes: - name: {{ .Release.Name }}-oauth-mock configMap: diff --git a/helm/templates/prometheus/nginx.deployment.yaml b/helm/templates/prometheus/nginx.deployment.yaml index d16111388c..c7976fb1a2 100644 --- a/helm/templates/prometheus/nginx.deployment.yaml +++ b/helm/templates/prometheus/nginx.deployment.yaml @@ -21,6 +21,7 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/prometheus/nginx.configmap.yaml") . | sha256sum }} spec: + automountServiceAccountToken: false volumes: - name: {{ .Release.Name }}-prometheus-nginx configMap: diff --git a/helm/templates/prometheus/prometheus.deployment.yaml b/helm/templates/prometheus/prometheus.deployment.yaml index a71a7cf324..fb1b4a481e 100644 --- a/helm/templates/prometheus/prometheus.deployment.yaml +++ b/helm/templates/prometheus/prometheus.deployment.yaml @@ -22,6 +22,7 @@ spec: annotations: checksum/config: {{ include (print $.Template.BasePath "/prometheus/prometheus.configmap.yaml") . | sha256sum }} spec: + automountServiceAccountToken: false serviceAccountName: {{ .Release.Name }}-prometheus {{- include "capellacollab.pod.spec" . | indent 6 -}} containers: