Skip to content

helm: set automountServiceAccountToken to false for hubble-relay sa #35674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 4, 2024
Merged

helm: set automountServiceAccountToken to false for hubble-relay sa #35674

merged 1 commit into from
Nov 4, 2024

Conversation

ayuspin
Copy link
Contributor

@ayuspin ayuspin commented Oct 31, 2024
edited
Loading

Pentest finding (and generically known security advises) point us to not mount service account tokens. The hubble-relay service account is not used in any (cluster)rolebindings defined and everything seems to work fine when automountServiceAccountToken is set to false.

helm: set automountServiceAccountToken to false for hubble-relay sa

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 31, 2024
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Oct 31, 2024
@ayuspin ayuspin marked this pull request as ready for review October 31, 2024 12:32
@ayuspin ayuspin requested review from a team as code owners October 31, 2024 12:32
@ayuspin
helm: set automountServiceAccountToken for hubble-relay sa
9df4972 
Signed-off-by: Andrii Iuspin <andrii.iuspin@isovalent.com>
@gandro gandro added release-note/bug This PR fixes an issue in a previous release of Cilium. area/helm Impacts helm charts and user deployment experience needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Oct 31, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Oct 31, 2024
@ayuspin ayuspin changed the title helm: set automountServiceAccountToken for hubble-relay sa helm: set automountServiceAccountToken to false for hubble-relay sa Oct 31, 2024
@rolinh
Copy link
Member

rolinh commented Nov 1, 2024

/test

@rolinh rolinh enabled auto-merge November 1, 2024 16:18
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 4, 2024
@rolinh rolinh added this pull request to the merge queue Nov 4, 2024
Merged via the queue into cilium:main with commit 94acf90 Nov 4, 2024
64 checks passed
@rolinh rolinh added affects/v1.14 This issue affects v1.14 branch affects/v1.15 This issue affects v1.15 branch affects/v1.16 This issue affects v1.16 branch labels Nov 5, 2024
@joamaki joamaki mentioned this pull request Nov 5, 2024
Merged
23 tasks
@joamaki joamaki added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Nov 5, 2024
@github-actions github-actions bot added backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Nov 7, 2024
@cilium-release-bot cilium-release-bot bot mentioned this pull request Nov 13, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gandro gandro gandro approved these changes

@rolinh rolinh rolinh approved these changes

@tommyp1ckles tommyp1ckles tommyp1ckles approved these changes

Assignees
No one assigned
Labels
affects/v1.14 This issue affects v1.14 branch affects/v1.15 This issue affects v1.15 branch affects/v1.16 This issue affects v1.16 branch area/helm Impacts helm charts and user deployment experience backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ayuspin @rolinh @gandro @tommyp1ckles @joamaki