disable automatic mount of SA token for pv-pool pod - Githubissues

noobaa / noobaa-operator

Operator for NooBaa - object data service for hybrid and multi cloud environments :cloud: :wrench:

https://www.noobaa.io

Apache License 2.0

103 stars 101 forks source link

disable automatic mount of SA token for pv-pool pod #1399

Closed dannyzaken closed 3 months ago

dannyzaken commented 3 months ago

Explain the changes

Kubernetes automatically mounts a service account token for every pod by default.
The best practice is to mount it only for pods that require access to the Kubernetes API.
For now, disabling automount for pv-pool pods. We should consider it for all pods other than the operator.
see more info here

Issues: Fixed #xxx / Gap #xxx

Testing Instructions:

[ ] Doc added/updated
[ ] Tests added

tangledbytes commented 3 months ago

This reminds me that we have create_k8s_auth in noobaa-core, I can't find its usage right now but that seems to read SA token.

dannyzaken commented 3 months ago

This reminds me that we have create_k8s_auth in noobaa-core, I can't find its usage right now but that seems to read SA token.

I think it was used for SSO into noobaa UI, so it's not relevant anymore