Chris Harden requested to merge epic-146-automountserviceaccounttoken-istio into main Oct 18, 2023

General MR

Summary

This MR manages the automountserviceaccounttoken for both serviceaccounts and pods using clusterpolicy to mutate the serviceaccount and pod and policyexceptions to except pods that violate the disallow-auto-mount-service-account-token clusterpolicy.

This allows us to manage automountserviceaccounttokens in a single package rather than in each package separately.

Note this excludes the default serviceaccount as it needs to be mutated differently and will be managed in a separate policy

# values.yaml
automountServiceAccountTokens:
  enabled: true
  namespaces:
    - namespace: istio-system
      serviceAccounts:
      - istiod
      - istio-reader-service-account
      - public-ingressgateway-service-account
      - passthrough-ingressgateway-service-account 
      pods:
      - istiod-*
      - passthrough-ingressgateway-*
      - public-ingressgateway-*
    - namespace: istio-operator
      serviceAccounts:
      - istio-operator
      pods:
      - istiod-* 
      - istio-operator-*

The template loops through a list of namespaces. Each namespace contains a list of serviceaccounts that will disable automountserviceaccounttoken and also a list of pods that will explicitly enable automountserviceaccounttoken because the pod truly needs access to the API.

This iteration of the template hardcodes the default values, but Big Bang overrides will implemented after consensus on the approach.

Driven by epic 146

Relevant logs/screenshots

(Include any relevant logs/screenshots)

Edited Oct 18, 2023 by Chris Harden

Admin message

Draft: 1749-automountServiceAccounts-istio: adding in exception for pods in the istio-operator namespace

General MR

Summary

Relevant logs/screenshots

Merge request reports