UNCLASSIFIED - NO CUI

Skip to content
Snippets Groups Projects

Added documentation explaining new hardening of automountServiceAccountToken settings in bigbang

Merged Added documentation explaining new hardening of automountServiceAccountToken settings in bigbang
grafana-automount-sa-token-documentation into main
Merged Dustin Hilgaertner requested to merge grafana-automount-sa-token-documentation into main
Compare
and
1 file
+ 5
0
Compare changes
  • Side-by-side
  • Inline
docs/DEVELOPMENT_MAINTENANCE.md
+ 5
0
@@ -49,3 +49,8 @@ grafana.ini:
plugin.redis-datasource:
path: /var/lib/bb-plugins/redis-datasource
```
### automountServiceAccountToken
The mutating Kyverno policy named `update-automountserviceaccounttokens` is leveraged to harden all ServiceAccounts in this package with `automountServiceAccountToken: false`. This policy is configured by namespace in the Big Bang umbrella chart repository at [chart/templates/kyverno-policies/values.yaml](https://repo1.dso.mil/big-bang/bigbang/-/blob/master/chart/templates/kyverno-policies/values.yaml?ref_type=heads).
This policy revokes access to the K8s API for Pods utilizing said ServiceAccounts. If a Pod truly requires access to the K8s API (for app functionality), the Pod is added to the `pods:` array of the same mutating policy. This grants the Pod access to the API, and creates a Kyverno PolicyException to prevent an alert.

UNCLASSIFIED - NO CUI