'What is the recommended way to disable the automount of service account in kubernetes
We need to disable the automount of service account from our existing deployments in AKS cluster. There are 2 ways to do by adding the property "automountserviceaccount : false" in either in the service account manifest or pod template.
We are using separate service account specified in our application deployments, however when we looked in the namespace, there are default service account also created.
So inorder to secure our cluster, do we need to disable the automount property for both default and application specific service accounts?.
Since our app already live, will there be any impact by adding this to the service account s.
How to know the used service accounts of a pod and it's dependencies ?
Solution 1:[1]
So inorder to secure our cluster, do we need to disable the automount property for both default and application specific service accounts?.
The design behind the default ServiceAccount is that it does not have any rights unless you give them some. So from a security point of view there is not much need to disable the mount unless you granted them access for some reason. Instead, whenever an application truly needs some access, go ahead and create a ServiceAccount for that particular application and grant it the permissions it needs via RBAC.
Since our app already live, will there be any impact by adding this to the service account s.
In case you truly want to disable the mount there won't be an impact on your application if it didn't use the ServiceAccount beforehand. What is going to happen though, is that a new Pod will be created and the existing one is being delete. However, if you properly configured readinessProbes and a rolling update strategy, then Kubernetes will ensure that there will be no downtime.
How to know the used service accounts of a pod and it's dependencies ?
You can check what ServiceAccount a Pod is mounting by executing kubectl get pods <pod-name> -o yaml. The output is going to show you the entirety of the Pod's manifest and the field spec.serviceAccountName contains information on which ServiceAccount the Pod is mounting.
Solution 2:[2]
Disable auto-mount of default service account:
apiVersion: v1
kind: ServiceAccount
metadata:
name: default
automountServiceAccountToken: false
https://gist.github.com/pjbgf/0a8c8a1459e5a2eb20e9d0852ba8c4be
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | F1ko |
| Solution 2 | Joe Bowbeer |