From 08500c3d76c6cc4763945c5fc641bb9d1f675f5d Mon Sep 17 00:00:00 2001 From: Gregory Thiemonge Date: Mon, 21 Oct 2024 16:31:29 +0000 Subject: [PATCH] Set AutomountServiceAccountToken to false SAST: Disable the automount feature by explicitly setting the `automountServiceAccountToken` attribute to `false` JIRA: OSPRH-9917 --- pkg/amphoracontrollers/daemonset.go | 1 + pkg/octavia/dbsync.go | 5 +++-- pkg/octavia/image_upload_deployment.go | 4 +++- pkg/octaviaapi/deployment.go | 3 ++- pkg/octaviarsyslog/daemonset.go | 3 ++- tests/kuttl/common/assert_sample_deployment.yaml | 1 + 6 files changed, 12 insertions(+), 5 deletions(-) diff --git a/pkg/amphoracontrollers/daemonset.go b/pkg/amphoracontrollers/daemonset.go index f1ab0046..5c1bed4f 100644 --- a/pkg/amphoracontrollers/daemonset.go +++ b/pkg/amphoracontrollers/daemonset.go @@ -147,6 +147,7 @@ func DaemonSet( }, TerminationGracePeriodSeconds: &terminationGracePeriodSeconds, ServiceAccountName: instance.Spec.ServiceAccount, + AutomountServiceAccountToken: ptr.To(false), Containers: []corev1.Container{ { Name: serviceName, diff --git a/pkg/octavia/dbsync.go b/pkg/octavia/dbsync.go index c167b9ae..aa59b16a 100644 --- a/pkg/octavia/dbsync.go +++ b/pkg/octavia/dbsync.go @@ -68,8 +68,9 @@ func DbSyncJob( SecurityContext: &corev1.PodSecurityContext{ FSGroup: ptr.To(OctaviaUID), }, - RestartPolicy: corev1.RestartPolicyOnFailure, - ServiceAccountName: instance.RbacResourceName(), + RestartPolicy: corev1.RestartPolicyOnFailure, + ServiceAccountName: instance.RbacResourceName(), + AutomountServiceAccountToken: ptr.To(false), Containers: []corev1.Container{ { Name: ServiceName + "-db-sync", diff --git a/pkg/octavia/image_upload_deployment.go b/pkg/octavia/image_upload_deployment.go index 81752635..785ca96a 100644 --- a/pkg/octavia/image_upload_deployment.go +++ b/pkg/octavia/image_upload_deployment.go @@ -23,6 +23,7 @@ import ( appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/utils/ptr" ) type ImageUploadDetails struct { @@ -107,7 +108,8 @@ func ImageUploadDeployment( Labels: labels, }, Spec: corev1.PodSpec{ - ServiceAccountName: instance.RbacResourceName(), + ServiceAccountName: instance.RbacResourceName(), + AutomountServiceAccountToken: ptr.To(false), Containers: []corev1.Container{ { Name: "octavia-amphora-httpd", diff --git a/pkg/octaviaapi/deployment.go b/pkg/octaviaapi/deployment.go index e8d6e078..3575d6cc 100644 --- a/pkg/octaviaapi/deployment.go +++ b/pkg/octaviaapi/deployment.go @@ -158,7 +158,8 @@ func Deployment( SecurityContext: &corev1.PodSecurityContext{ FSGroup: ptr.To(octavia.OctaviaUID), }, - ServiceAccountName: instance.Spec.ServiceAccount, + ServiceAccountName: instance.Spec.ServiceAccount, + AutomountServiceAccountToken: ptr.To(false), Containers: []corev1.Container{ { Name: serviceName, diff --git a/pkg/octaviarsyslog/daemonset.go b/pkg/octaviarsyslog/daemonset.go index a5ede1e5..1163c52d 100644 --- a/pkg/octaviarsyslog/daemonset.go +++ b/pkg/octaviarsyslog/daemonset.go @@ -103,7 +103,8 @@ func DaemonSet( Labels: labels, }, Spec: corev1.PodSpec{ - ServiceAccountName: instance.Spec.ServiceAccount, + ServiceAccountName: instance.Spec.ServiceAccount, + AutomountServiceAccountToken: ptr.To(false), Containers: []corev1.Container{ { Name: serviceName, diff --git a/tests/kuttl/common/assert_sample_deployment.yaml b/tests/kuttl/common/assert_sample_deployment.yaml index d7001f6d..38832269 100644 --- a/tests/kuttl/common/assert_sample_deployment.yaml +++ b/tests/kuttl/common/assert_sample_deployment.yaml @@ -98,6 +98,7 @@ spec: - octavia-api topologyKey: kubernetes.io/hostname weight: 100 + automountServiceAccountToken: false containers: - args: - -c