UNCLASSIFIED - NO CUI

Skip to content

Mitigate automountServiceAccountToken findings

Justen Mehl requested to merge harden-automounting into main

General MR

Summary

Related to https://repo1.dso.mil/big-bang/product/packages/metrics-server/-/issues/24 and #22 (closed)

This MR includes a default value modification in chart/values.yaml to disable API token auto-mounting for the metrics-server ServiceAccount.

This essentially means that Pods leveraging the metrics-server ServiceAccount, by default, will not have access to their Kubernetes API token (previously mounted at /var/run/secrets/kubernetes.io/serviceaccount/token).

Since this package deals with the Kubernetes API heavily - the metrics-server Pod will override this behavior at the Pod spec-level here. As such, a Kyverno policy exception will be made for this Pod.

My manual testing of the package according to DEVELOPMENT_MAINTENANCE.md has shown no loss of functionality - but if the codeowners are aware of any potential breakage, please let me know!

This is in support of epic &146.

--

Also contains a minor version bump to registry1.dso.mil/ironbank/opensource/kubernetes/kubectl:v1.28.3 to knock out the Renovate issue.

Edited by Justen Mehl

Merge request reports

UNCLASSIFIED - NO CUI