UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects

Mitigate automountServiceAccountToken findings in flux-system and bigbang namespaces

Merged Mitigate automountServiceAccountToken findings in flux-system and bigbang namespaces
1855-flux-hardening into master
Merged Justen Mehl requested to merge 1855-flux-hardening into master

General MR

Summary

Closes #1855 and #1856

This MR hardens all ServiceAccounts present in the flux-system namespace, but overrides this behavior at the pod-spec level since Flux requires heavy access to the Kubernetes API.

The changes are made via Kustomize patches in kustomization.yaml (similar to how we patch in container resource constraints) because the gotk-components.yaml is programmatically generated by Flux and cannot be edited.

This MR also hardens the default ServiceAccount in the flux-system and bigbang namespaces via the mutating Kyverno policy named update-automountserviceaccounttokens-default. This is a minute change, since no resources actually utilize those ServiceAccounts, but it removes two Kyverno policy violations.

Upgrade Notices

N/A

Edited by Justen Mehl

Merge request reports

Merge request pipeline #2758573 passed

Stage: 🎛 prevar
Stage: 🔥 smoke tests

Merge request pipeline passed for 92c3d1f6

Approval is optional

Merged by Michael MartinMichael Martin 1 year ago (Jan 22, 2024 3:39pm UTC)

Merge details

  • Changes merged into master with 8531ece5 (commits were squashed).
  • Deleted the source branch.

Pipeline #2758709 passed

Stage: 🎛 prevar

Pipeline passed for 8531ece5 on master

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
Please register or sign in to reply

UNCLASSIFIED - NO CUI