search

drone / drone-runtime

[DEPRECATED] migrated to https://github.com/drone-runners
Other
62 stars 43 forks source link

kubernetes: disable in-cluster authentication for spawned images #24

Closed bradrydzewski closed 5 years ago

bradrydzewski commented 5 years ago

Images spawned by kubernetes can access the kubernetes API using "in cluster" authentication. This should be disabled for containers that are spawned by the pipeline, or at least customizable in some way. Until this is resolved, the Kubernetes engine should be internal-use-only (do not use for public repositories that accept pull requests). I was hoping to have a solution in place already, but could use some help if anyone is interested.

bradrydzewski commented 5 years ago

edit, looks like we can do this:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  automountServiceAccountToken: false

this may be a pretty simple fix ...

bradrydzewski commented 5 years ago

confirmed this fixed the issue

$ ls -la /var/run/secrets/kubernetes.io/serviceaccount
ls: /var/run/secrets/kubernetes.io/serviceaccount: No such file or directory