Kubernetes: add automount_service_account_token option
What does this MR do?
This merge request adds a new config option to the Kubernetes executor to be able to configure the AutomountServiceAccountToken
feature of Kubernetes.
Why was this MR needed?
This helps to improve security of Kubernetes environments since normally no build pods needs access to the ServiceAccount.
The helm chart deployment already added the feature to disable the ServiceAccount mount for the GitlabRunner pods itself but this doesn't prevent the mount for build/helper and service pods.
gitlab-org/charts/gitlab-runner!428 (merged)
What's the best way to test this MR?
Path to test:
/var/run/secrets/kubernetes.io/serviceaccount
Default-Config: Path exists or doesn't exist depending on the ServiceAccount config
Config automount_service_account_token = true
: Path exists
Config automount_service_account_token = false
: Path doesn't exist
What are the relevant issue numbers?
Closes #4786 (closed)