Configuration security rule violation , ensure service account tokens are only mounted where necessary

kedacore / keda

KEDA is a Kubernetes-based Event Driven Autoscaling component. It provides event driven scale for any container running in Kubernetes

https://keda.sh

Apache License 2.0

8.36k stars 1.06k forks source link

Configuration security rule violation , ensure service account tokens are only mounted where necessary #5900

Closed tsivachi closed 1 month ago

tsivachi commented 3 months ago

KEDA operator should look for deploying the component with automountServiceAccountToken=false to comply with best practices around mounting service account tokens.

It seems to be that other OSS components like certmanager are able to implement a token rotation mechanism periodically and avoid mounting a static token as per this link here ?

Originally posted by @tsivachi in https://github.com/kedacore/keda/issues/1934#issuecomment-2179295338

stale[bot] commented 1 month ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

JorTurFer commented 1 month ago

Hello Sorry because I missed this issue 😢 This is already supported using helm chart: https://github.com/kedacore/charts/blob/12433cf661790abe0425f66cd4bd21e73741c010/keda/values.yaml#L289-L316

As default, we prefer to use automountServiceAccountToken as it's the easiest way, and it's safe with default KEDA installation (with a single container) but you can set it to false and mount the service account by yourself