Mitigate automountServiceAccountToken findings
General MR
Summary
Relates to https://repo1.dso.mil/big-bang/product/packages/policy/-/issues/191
This MR includes template modifications to disable API token auto-mounting for the gatekeeper-admin
ServiceAccount.
This essentially means that Pods leveraging the gatekeeper-admin
ServiceAccount, by default, will not have access to their Kubernetes API token (previously mounted at /var/run/secrets/kubernetes.io/serviceaccount/token
).
Since this package deals with the Kubernetes API heavily - all Gatekeeper Pods override this behavior at the Pod spec-level (example here ). As such, a Kyverno policy exception will be made for said Pods.
This "overriding" pattern is repeated for several post/pre install/upgrade Jobs (i.e., gatekeeper-update-crds-hook
), as they require access to the K8s API as well.
Testing has shown no loss of functionality - but if the codeowners are aware of any potential breakage, please let me know!
This is in support of epic &146.
--
This MR also flips bbtests.enabled: false
, since I noticed test resources in my personal deployments and I believe that is unintended (?).