The current implementation of the secure-by-default behavior for token auto-mounts should be moved from Pods to ServiceAccounts. Instead of mutating the Pod resources, the default of automountServiceAccountToken in ServiceAccount resources should be changed from true to false. An overview of the expected behavior between ServiceAccount and Pod setting is given in the following table:
We have had a lengthy discussion on the automountServiceAccountToken issue today. It appears we might want something that we have not implemented and not thought of so far. Let's look at the automountServiceAccountToken setting which can be configured both on the service account and pod level. We have checked the non-obvious combinations and listed all of them in the table below:
#
service account
pod
k8s behavior
karydia behavior
1
true
true
true
true
2
false
true
true
true
3
true
false
false
false
4
false
false
false
false
5
not defined
not defined
true
false
6
not defined
true
true
true
7
not defined
false
false
false
8
true
not defined
true
true
9
false
not defined
false
false
User Story
As an admin I don't like to have not defined the automountServiceAccountToken property in ServiceAccount resources. Instead, not defined cases should default to automountServiceAccountToken: false.
Description
The current implementation of the secure-by-default behavior for token auto-mounts should be moved from Pods to ServiceAccounts. Instead of mutating the Pod resources, the default of
automountServiceAccountToken
in ServiceAccount resources should be changed fromtrue
tofalse
. An overview of the expected behavior between ServiceAccount and Pod setting is given in the following table:We have had a lengthy discussion on the
automountServiceAccountToken
issue today. It appears we might want something that we have not implemented and not thought of so far. Let's look at theautomountServiceAccountToken
setting which can be configured both on the service account and pod level. We have checked the non-obvious combinations and listed all of them in the table below:User Story
As an admin I don't like to have not defined the
automountServiceAccountToken
property in ServiceAccount resources. Instead, not defined cases should default toautomountServiceAccountToken: false
.