diff --git a/keda/README.md b/keda/README.md index 6b922710..aa408247 100644 --- a/keda/README.md +++ b/keda/README.md @@ -140,6 +140,7 @@ their default values. | `operator.replicaCount` | int | `1` | Capability to configure the number of replicas for KEDA operator. While you can run more replicas of our operator, only one operator instance will be the leader and serving traffic. You can run multiple replicas, but they will not improve the performance of KEDA, it could only reduce downtime during a failover. Learn more in [our documentation](https://keda.sh/docs/latest/operate/cluster/#high-availability). | | `operator.revisionHistoryLimit` | int | `10` | ReplicaSets for this Deployment you want to retain (Default: 10) | | `permissions.operator.restrict.namesAllowList` | list | `[]` | Array of strings denoting what secrets the KEDA operator will be able to read, this takes into account also the configured `watchNamespace`. the default is an empty array -> no restriction on the secret name | +| `permissions.operator.restrict.saTokens` | bool | `true` | Restrict Service Account Token Creation Access for KEDA operator | | `permissions.operator.restrict.secret` | bool | `false` | Restrict Secret Access for KEDA operator if true, KEDA operator will be able to read only secrets in {{ .Release.Namespace }} namespace | | `podAnnotations.keda` | object | `{}` | Pod annotations for KEDA operator | | `podDisruptionBudget.operator` | object | `{}` | Capability to configure [Pod Disruption Budget] | diff --git a/keda/templates/crds/crd-clustertriggerauthentications.yaml b/keda/templates/crds/crd-clustertriggerauthentications.yaml index 823e5140..75a968fc 100644 --- a/keda/templates/crds/crd-clustertriggerauthentications.yaml +++ b/keda/templates/crds/crd-clustertriggerauthentications.yaml @@ -308,6 +308,18 @@ spec: - secrets - vaultUri type: object + boundServiceAccountToken: + items: + properties: + parameter: + type: string + serviceAccountName: + type: string + required: + - parameter + - serviceAccountName + type: object + type: array configMapTargetRef: items: description: AuthConfigMapTargetRef is used to authenticate using diff --git a/keda/templates/crds/crd-triggerauthentications.yaml b/keda/templates/crds/crd-triggerauthentications.yaml index 5bfec720..735f9d2e 100644 --- a/keda/templates/crds/crd-triggerauthentications.yaml +++ b/keda/templates/crds/crd-triggerauthentications.yaml @@ -307,6 +307,21 @@ spec: - secrets - vaultUri type: object + boundServiceAccountToken: + items: + properties: + expiry: + type: string + parameter: + type: string + serviceAccountName: + type: string + required: + - expiry + - parameter + - serviceAccountName + type: object + type: array configMapTargetRef: items: description: AuthConfigMapTargetRef is used to authenticate using diff --git a/keda/templates/manager/clusterrole.yaml b/keda/templates/manager/clusterrole.yaml index 990423b9..9d26e4e6 100644 --- a/keda/templates/manager/clusterrole.yaml +++ b/keda/templates/manager/clusterrole.yaml @@ -24,6 +24,14 @@ rules: - get - list - watch +{{- if eq .Values.permissions.operator.restrict.saTokens false }} +- apiGroups: + - "" + resources: + - serviceaccounts/token + verbs: + - create +{{- end }} - apiGroups: - "" resources: diff --git a/keda/values.yaml b/keda/values.yaml index e429fe09..1291f96e 100644 --- a/keda/values.yaml +++ b/keda/values.yaml @@ -842,6 +842,8 @@ permissions: # -- Restrict Secret Access for KEDA operator # if true, KEDA operator will be able to read only secrets in {{ .Release.Namespace }} namespace secret: false + # -- Restrict Service Token Access for KEDA operator + saTokens: true # -- Array of strings denoting what secrets the KEDA operator will be able to read, this takes into account # also the configured `watchNamespace`. # the default is an empty array -> no restriction on the secret name