Helm chart improvement: Restrict Auto-Mount of Service Account Tokens in Service Account

emberstack / kubernetes-reflector

Custom Kubernetes controller that can be used to replicate secrets, configmaps and certificates.

MIT License

1.08k stars 93 forks source link

Helm chart improvement: Restrict Auto-Mount of Service Account Tokens in Service Account #450

Closed kubebn closed 4 months ago

kubebn commented 4 months ago

https://kyverno.io/policies/other/restrict-sa-automount-sa-token/restrict-sa-automount-sa-token/

Kubernetes automatically mounts ServiceAccount credentials in each ServiceAccount. The ServiceAccount may be assigned roles allowing Pods to access API resources. Blocking this ability is an extension of the least privilege best practice and should be followed if Pods do not need to speak to the API server to function. This policy ensures that mounting of these ServiceAccount tokens is blocked.

winromulus commented 4 months ago

@kubebn reflector continuously speaks to the API server in order to get the resources to reflect. The service account is mandatory to speak to the API server. I'm not sure what the issue is here but please reopen if needed.