Justen Mehl requested to merge 1855-flux-hardening into master Jan 04, 2024

General MR

Summary

Closes #1855 and #1856

This MR hardens all ServiceAccounts present in the flux-system namespace, but overrides this behavior at the pod-spec level since Flux requires heavy access to the Kubernetes API.

The changes are made via Kustomize patches in kustomization.yaml (similar to how we patch in container resource constraints) because the gotk-components.yaml is programmatically generated by Flux and cannot be edited.

This MR also hardens the default ServiceAccount in the flux-system and bigbang namespaces via the mutating Kyverno policy named update-automountserviceaccounttokens-default. This is a minute change, since no resources actually utilize those ServiceAccounts, but it removes two Kyverno policy violations.

Upgrade Notices

N/A

Edited Jan 09, 2024 by Justen Mehl

Admin message

Mitigate automountServiceAccountToken findings in flux-system and bigbang namespaces

General MR

Summary

Upgrade Notices

Merge request reports