Skip to content

Allow user to turn off automountServiceAccountToken feature

Thomas Spear requested to merge tspearconquest/gitlab-runner-chart:automount_service_account_token into main

What does this MR do?

Allows the user to turn off the automountServiceAccountToken feature

Why was this MR needed?

The default service account token mechanism automatically mounts a static service account token which never changes unless manually rotated. As a security mechanism, Kubernetes introduced the Bound Service Account Token projected volume mechanism as a stable feature in Kubernetes 1.22. This allows you to get a time-limited token (default 1 hour) via a projected volume. In Kubernetes 1.28, by default, all tokens are going to be projected into the pod, though you can still manually create a token secret to get a long-lived token.

Given that the chart already supports user-defined volumes and volume mounts, adding this field allows users to completely replace the built-in automatically mounted static service account token ahead of an upgrade to Kubernetes 1.28.

What's the best way to test this MR?

Uncomment and set automountServiceAccountToken to false in the values, and add the necessary fields to add a projected service account token volume and volume mount. Something like below should work properly:

What are the relevant issue numbers?

automountServiceAccountToken: false
volumeMounts:
  - name: gitlab-runner
    mountPath: /var/run/secrets/kubernetes.io/serviceaccount
    readOnly: true
volumes:
  - name: gitlab-runner
    projected:
      defaultMode: 0440
      sources:
      - configMap:
          name: kube-root-ca.crt
      - downwardAPI:
        items:
        - fieldRef:
            apiVersion: v1
            fieldPath: metadata.namespace
          path: namespace
      - serviceAccountToken:
          expirationSeconds: 3600
          path: token

Merge request reports