UNCLASSIFIED - NO CUI

Skip to content

Mitigate automountServiceAccountToken findings

Justen Mehl requested to merge harden-automounting-token into main

General MR

Summary

This MR includes default value modifications in chart/values.yaml to:

  1. Enable creation of dedicated ServiceAccounts (as opposed to just using the default SA)
  2. Disable API token auto-mounting for Pods utilizing said ServiceAccount.

This essentially means that containers in the sonarqube-postgresql-0 and sonaqube-sonarqube-0 Pods are now utilizing a ServiceAccount (sonarqube-postgresql and sonarqube-sonarqube respectively), and no longer have access to the Kubernetes API via their API token previously mounted at /var/run/secrets/kubernetes.io/serviceaccount/token.

My manual testing of the package according to DEVELOPMENT_MAINTENANCE.md has shown no loss of functionality - but if the codeowners are aware of any potential breakage, please let me know!

This is in support of epic &146.

Relates #76

Edited by Justen Mehl

Merge request reports