The source project of this merge request has been removed.
Configurable automount for SA token
What does this MR do?
It allows users to opt out of the service account token automount.
Why was this MR needed?
GitLab runner does not need access to Kubernetes API in every situation: only when the Kubernetes executer is being used. By allowing users to not automount it, it can reduce unnecessary attack surface. Attackers cannot access the K8S API on behalf of the pod without a token.
What's the best way to test this MR?
See if automountServiceAccountToken
is getting templated.
What are the relevant issue numbers?
n/a
Remarks
I could have implemented logic involving the mode, but as there might be other cases (init containers, sidecars, plugins) requiring K8S access from the pod, I thought a boolean in the values might be the most fitting.