Do not automount initcontainer service account token

GoogleCloudPlatform / prometheus-engine

Google Cloud Managed Service for Prometheus libraries and manifests.

https://g.co/cloud/managedprometheus

Apache License 2.0

191 stars 89 forks source link

Do not automount initcontainer service account token #1107

Closed dashpole closed 1 month ago

dashpole commented 1 month ago

Set automountServiceAccountToken: false for alertmanager StatefulSet.

The pods of this daemonset don't interact with the kubernetes API. Security best practices recommend that we either use a dedicated service account for this pod or set automountServiceAccountToken: false.