You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Need the Redpanda + Operator + Connectors charts to support disabling automountServiceAccountToken.
Also need additional volumes and volumeMounts for the Operator chart.
Why is this needed?
Azure Microsoft defender reported a High Severity security finding as below
"Kubernetes clusters should disable automounting API credentials" - Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.
So in order to mitigate the above finding need to disable automounting of service account token by setting automountServiceAccountToken = false .
This is not possible with the Redpanda, Operator and Connectors charts currently (only with the console chart), so opening this issue to request support for this.
I'm assuming the Operator (and perhaps others) requires access to Kubernetes API, so I also mention that the operator currently does not allow adding additional volumes and volumeMounts to manually mount the serviceAccount token.
Note - while it is best-practice to disable, the app might require the Kubernetes credentials, so in order for this to work you must also manually mount the service account credentials, example:
What would you like to be added?
Need the Redpanda + Operator + Connectors charts to support disabling automountServiceAccountToken.
Also need additional volumes and volumeMounts for the Operator chart.
Why is this needed?
Azure Microsoft defender reported a High Severity security finding as below
"Kubernetes clusters should disable automounting API credentials" - Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc.
So in order to mitigate the above finding need to disable automounting of service account token by setting automountServiceAccountToken = false .
This is not possible with the Redpanda, Operator and Connectors charts currently (only with the console chart), so opening this issue to request support for this.
I'm assuming the Operator (and perhaps others) requires access to Kubernetes API, so I also mention that the operator currently does not allow adding additional volumes and volumeMounts to manually mount the serviceAccount token.
Note - while it is best-practice to disable, the app might require the Kubernetes credentials, so in order for this to work you must also manually mount the service account credentials, example:
JIRA Link: K8S-360
The text was updated successfully, but these errors were encountered: