Allow user to turn off automountServiceAccountToken feature
What does this MR do?
Allows the user to turn off the automountServiceAccountToken
feature
Why was this MR needed?
The default service account token mechanism automatically mounts a static service account token which never changes unless manually rotated.
As a security mechanism, Kubernetes introduced the Bound Service Account Token
projected volume mechanism as a stable feature in Kubernetes 1.22. This allows you to get a time-limited token (default 1 hour) via a projected volume. In Kubernetes 1.28, by default, all tokens are going to be projected into the pod, though you can still manually create a token secret to get a long-lived token.
Given that the chart already supports user-defined volumes and volume mounts, adding this field allows users to completely replace the built-in automatically mounted static service account token ahead of an upgrade to Kubernetes 1.28.
What's the best way to test this MR?
Uncomment and set automountServiceAccountToken
to false in the values, and add the necessary fields to add a projected service account token volume and volume mount. Something like below should work properly:
What are the relevant issue numbers?
automountServiceAccountToken: false
volumeMounts:
- name: gitlab-runner
mountPath: /var/run/secrets/kubernetes.io/serviceaccount
readOnly: true
volumes:
- name: gitlab-runner
projected:
defaultMode: 0440
sources:
- configMap:
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
- serviceAccountToken:
expirationSeconds: 3600
path: token