jenting
commented
1 year ago @mackmittalwk I remember that Kubernetes supports auto mount the service account token. The purpose is that the Pod is able to authenticate to the kube-apiserver.
I think we could disable the auto mount of the service account token. But we need to make sure the Velero pods contain another service account within the pod that is able to authenticate to the kube-apiserver, either by manually injecting a token into the pod or use a different authentication method.
I have deployed the velero on aks, but microsoft inbuilt cloud defender security raised the high severity vulnerability on auto mount of access tokens for service accounts.
I would like to know on the following items:
Does velero supports disabling automount of sa tokens. if not , is it on future roadmap. What will be the impact of mounting the tokens manually but on different mounted path.