UNCLASSIFIED - NO CUI

Skip to content

gatekeeper update to 3.13.3-bb.3

mr-bot requested to merge update-policy-tag-3.13.3-bb.3 into master

Package Merge Request

Package Changes

The Package MR includes template modifications to disable API token auto-mounting for the gatekeeper-admin ServiceAccount.

This essentially means that Pods leveraging the gatekeeper-admin ServiceAccount, by default, will not have access to their Kubernetes API token (previously mounted at /var/run/secrets/kubernetes.io/serviceaccount/token).

Since this package deals with the Kubernetes API heavily - all Gatekeeper Pods override this behavior at the Pod spec-level (example here ). As such, a Kyverno policy exception will be made for said Pods.

This "overriding" pattern is repeated for several post/pre install/upgrade Jobs (i.e., gatekeeper-update-crds-hook), as they require access to the K8s API as well.

Testing has shown no loss of functionality - pipelines have passed, and a Package codeowner has approved the change.

This is in support of epic &146.

Package MR

big-bang/product/packages/policy!183 (merged)

For Issue

Edited by Michael Martin

Merge request reports

Loading