Closed CodeClinch closed 5 years ago
Just tried, but cannot reproduce.
Did you use the prod or test installation/container?
When querying for the default
ServiceAccount in Namespace demo
the settings are applied correctly in my case:
apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
annotations:
karydia.gardener.cloud/automountServiceAccountToken.internal: config/change-default
As a result, I don't see any mounted directories.
Took a look into your cluster amy4
and the demo
namespace's default
ServiceAccount is missing the according annotation. When creating new namespaces e.g. demo2
and demo3
behavior is as expected and no service tokens are mounted. Is it possible, that the demo
ns was created before Karydia was installed?
Description
After installation of karydia the service account token still gets mounted. This shouldn't be the case.
Steps to reproduce
Install karydia
create namespace demo
start pod kubectl run -it --rm --restart=Never alpine --image=alpine sh -n demo
kubectl describe pod/alpine -n demo Containers: alpine2: Container ID: docker://97a60c50df9a54e98b79829b58f5628fa9b7da08fa022895897989611a630a79 Image: alpine Image ID: docker-pullable://alpine@sha256:ca1c944a4f8486a153024d9965aafbe24f5723c1d5c02f4964c045a16d19dc54 Port:
Host Port:
Args:
sh
State: Running
Started: Thu, 11 Jul 2019 13:46:23 +0200
Ready: True
Restart Count: 0
Environment:
Mounts:
/var/run/secrets/kubernetes.io/serviceaccount from default-token-27sll (ro)
Config Name: karydia-config Namespace:
API Version: karydia.gardener.cloud/v1alpha1
Kind: KarydiaConfig
Metadata:
Creation Timestamp: 2019-07-11T07:37:03Z
Generation: 1
Resource Version: 40308
Self Link: /apis/karydia.gardener.cloud/v1alpha1/karydiaconfigs/karydia-config
UID: 78db2b8e-65cd-483a-8721-745893b1a227
Spec:
Automount Service Account Token: change-default
Network Policy: kube-system:karydia-default-network-policy
Pod Security Context: nobody
Seccomp Profile: runtime/default
Events:
Labels: app=karydia Annotations:
kubectl edit pod/alpine2 -n demo apiVersion: v1 kind: Pod metadata: annotations: cni.projectcalico.org/podIP: 100.96.0.18/32 karydia.gardener.cloud/podSecurityContext.internal: config/nobody karydia.gardener.cloud/seccompProfile.internal: config/runtime/default kubernetes.io/psp: gardener.privileged seccomp.security.alpha.kubernetes.io/pod: runtime/default creationTimestamp: "2019-07-11T11:46:21Z" labels: run: alpine2 name: alpine2 namespace: demo resourceVersion: "83200" selfLink: /api/v1/namespaces/demo/pods/alpine2 uid: f13d38b6-ec13-444f-a85c-60f8959e1149 spec:
Expected behavior
I would expect the service account not be mounted.
Logs / console output / screenshots / affected lines of code
Environment
kubectl version
): v1.13.1cat /etc/os-release
ORsw_vers
):uname -a
):