Mitigate automountServiceAccountToken findings
General MR
Summary
This MR includes default value modifications in chart/values.yaml
to:
- Enable creation of dedicated ServiceAccounts (as opposed to just using the
default
SA) - Disable API token auto-mounting for Pods utilizing said ServiceAccount.
This essentially means that containers in the sonarqube-postgresql-0
and sonaqube-sonarqube-0
Pods are now utilizing a ServiceAccount (sonarqube-postgresql
and sonarqube-sonarqube
respectively), and no longer have access to the Kubernetes API via their API token previously mounted at /var/run/secrets/kubernetes.io/serviceaccount/token
.
My manual testing of the package according to DEVELOPMENT_MAINTENANCE.md
has shown no loss of functionality - but if the codeowners are aware of any potential breakage, please let me know!
This is in support of epic &146.
Relates #76
Edited by Justen Mehl