disable automount serviceaccount (!1217) · Merge requests · Sylva-projects / sylva-core

Pierrick Seite requested to merge disable-automountSA into main Nov 27, 2023

What does this MR do and why?

Ensure that default service accounts are not actively used, i.e. is not automatically mounted in pods, for example in keyclaok pods.

Related reference(s)

Quoting CIS benchmark 5.1.5:

Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.

For each namespace including default and kube-system on a standard RKE2 install, the default service account must include this value:

automountServiceAccountToken: false

Edited Nov 29, 2023 by Pierrick Seite

disable automount serviceaccount

What does this MR do and why?

Related reference(s)

Merge request reports