mirror of https://github.com/linkerd/linkerd2.git
351cc68b10
Subject Disables "automountServiceAccountToken", instead manually mounts it as a projected volume where necessary Problem By default, kubernetes enables "automountServiceAccountToken" for all pods. This poses a security risk, as pods might get kube-api permissions unintentionally. More specifically, this fails security compliance tests: https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies https://www.azadvertizer.net/azpolicyadvertizer/kubernetes_block-automount-token.html Solution Disable "automountServiceAccountToken", create projected volume for the token, and mount it on relevant containers Validation Linkerd pods are able to access k8s API, work as expected (same as before) Fixes #13108 --------- Signed-off-by: Aran Shavit <Aranshavit@gmail.com> |
||
|---|---|---|
| .. | ||
| cmd | ||
| flag | ||
| table | ||
| Dockerfile | ||
| main.go | ||