Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
control-service: don't include needless service token (#1679)
Kubernetes, service accounts are used by pods to authenticate with the Kubernetes API server and access resources in the cluster. Each pod is assigned a service account, and by default, the service account token is mounted in the pod's file system and used for authentication. However, not all pods need to access the Kubernetes API server or cluster resources, and in some cases, including the service account token can pose a security risk. For example, if a pod is compromised or runs untrusted code (which data job generally do), an attacker could use the service account token to escalate privileges and access sensitive resources in the cluster. To mitigate this risk, Kubernetes provides the `automountServiceAccountToken` property, which can be used to disable the automatic mounting of the service account token in pods. By setting this property to false, the service account token is not included by default, and the pod does not have access to the token unless it is manually mounted in a volume. It is a best practice to follow the principle of least privilege when designing and configuring Kubernetes workloads. By disabling the automatic mounting of the service account token, we can reduce the attack surface of our pods (and hence data jobs) and minimize the risk of compromise or data breaches. Testing Done: existing integration tests cover that the main functionality will not be broken by setting automountServiceAccountToken to false. Signed-off-by: Antoni Ivanov <[email protected]>
- Loading branch information
1 parent
9a67e6a
commit 768ec74