UNCLASSIFIED - NO CUI

Skip to content

50-mutate-default-sa: Adding clusterrole to the background-controller that...

Chris Harden requested to merge 50-mutate-default-sa into main

General MR

Summary

  Kubernetes automatically mounts API credentials in each Pod using the service account.
  Under the least privilege best practice, the default service account should not have
  access to the Kuberenetes API.  This helps to prevent exploitation of API vulnerabilities.
  This policy will add configuration to pods so that the service account token is not
  automatically mounted.

Some package namespaces, and in turn their default serviceaccounts, are created in Bigbang before Kyverno runs. Kyverno can't update those pre-existing resources without adequate permissions.

This MR adds the rights to get, list, watch, update, and patch the kyverno-background-controller serviceaccount so that those resources can be mutated with a clusterpolicy

These is a Kyverno-poliycy MR that is dependent on this MR

Relevant logs/screenshots

(Include any relevant logs/screenshots)

Relates #50 (closed)

Edited by Ryan Garcia

Merge request reports