fix(eck-operator): make automountServiceAccountToken configurable #7690
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Keeps the default behaviour of having automountServiceAccountToken set to true for ServiceAccount/Statefulset Signed-off-by: Stefan Caraiman <stefanc.caraiman@gmail.com>
stefan-caraiman
force-pushed
the
fix/configurable-automountServiceAccountToken
branch
from
ada6542 to
05a23bf
Compare
thbkrkr
added
>enhancement
|
@thbkrkr could you please have a look 👀 thanks! |
thbkrkr
reviewed
Apr 17, 2024
There was a problem hiding this comment.
Looks very good overall! I left one question.
Could you please add some unit tests that covers the different cases? Here's a start to get you started:
> cat deploy/eck-operator/templates/tests/statefulset_test.yaml
suite: test operator statefulset
templates:
- statefulset.yaml
- configmap.yaml
tests:
- it: should have automount service account tokens set by default
asserts:
- template: statefulset.yaml
equal:
path: spec.template.spec.automountServiceAccountToken
value: true
- it: should disable automount service account tokens
set:
automountServiceAccountToken: false
asserts:
- template: statefulset.yaml
equal:
path: spec.template.spec.automountServiceAccountToken
value: falseCo-authored-by: Thibault Richard <thbkrkr@users.noreply.github.com>
|
@thbkrkr added some minimal unit tests, let me know if i should add something else 👍 |
Test automountServiceAccountToken in the SA/Statefulset.
stefan-caraiman
force-pushed
the
fix/configurable-automountServiceAccountToken
branch
from
45822f1 to
41ebb57
Compare
thbkrkr
approved these changes
Apr 23, 2024
|
buildkite test this |
|
Thank you Stephan for this contribution! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Keeps the
automountServiceAccountTokendefaulting totruejust as before for ServiceAccount/StatefulsetIt makes it configurable though for cases such as with Azure AKS Security policy which scans for any pod/SA that have it set to
trueand instead recommended as part of their security benchmarks to disable automounting and injecting the service account tokens as volumes explicitly for each workload that requires it: Kubernetes clusters should disable automounting API credentialsA similar thread on this from
cert-managerand hardened values for such setups & rationale behind it.