UNCLASSIFIED - NO CUI

Skip to content

Mitigate automountServiceAccountToken findings in flux-system and bigbang namespaces

Justen Mehl requested to merge 1855-flux-hardening into master

General MR

Summary

Closes #1855 and #1856

This MR hardens all ServiceAccounts present in the flux-system namespace, but overrides this behavior at the pod-spec level since Flux requires heavy access to the Kubernetes API.

The changes are made via Kustomize patches in kustomization.yaml (similar to how we patch in container resource constraints) because the gotk-components.yaml is programmatically generated by Flux and cannot be edited.

This MR also hardens the default ServiceAccount in the flux-system and bigbang namespaces via the mutating Kyverno policy named update-automountserviceaccounttokens-default. This is a minute change, since no resources actually utilize those ServiceAccounts, but it removes two Kyverno policy violations.

Upgrade Notices

N/A

Edited by Justen Mehl

Merge request reports

Loading