Skip to content

Mitigate automountServiceAccountToken findings in MinIO

Justen Mehl requested to merge harden-automounttoken-minio into master

General MR


Related to https://repo1.dso.mil/big-bang/bigbang/-/issues/1845 and https://repo1.dso.mil/big-bang/bigbang/-/issues/1846

This MR leverages the mutating Kyverno policy named update-automountserviceaccounttokens to harden all ServiceAccounts in the minio and minio-operator namespace/package, and to place Pod exceptions where applicable (depending if the application truly needs access to the K8s API).

Justification for Pod exceptions are placed in comments alongside the code.

Manual testing according to the packages' DEVELOPMENT_MAINTENANCE.md has shown no loss of functionality. Pipeline tests are passing.

Edited by Justen Mehl

Merge request reports