The source project of this merge request has been removed.
Reduce automounting of SA token
What does this MR do?
Several componentents of GitLab do not need access to Kubernetes API, so they should not have a mounted SA token in their pod as well. By not automounting it, it reduces unnecessary attack surface. Attackers cannot access the K8S API on behalf of the pod without a token.
I have limited my fix to what it is running in my environment, it could very well be that other parts of GitLab could profit from this change as well. This commit covers:
- gitlab/gitaly
- gitlab/gitlab-exporter
- gitlab/gitlab-shell
- gitlab/migrations
- gitlab/sidekiq
- gitlab/task-runner
- gitlab/webservice
- minio
- registry
Related issues
If raising an issue helps (or is required), let me know and I will.
Checklist
See Definition of done.
For anything in this list which will not be completed, please provide a reason in the MR discussion.
Required
-
Merge Request Title and Description are up to date, accurate, and descriptive -
MR targeting the appropriate branch -
MR has a green pipeline on GitLab.com
Expected (please provide an explanation if not completing)
-
Test plan indicating conditions for success has been posted and passes -
Documentation created/updated -
Tests added -
Integration tests added to GitLab QA -
Equivalent MR/issue for omnibus-gitlab opened