Move automountServiceAccountToken to Pod (#3573) (#3580)

Move automountServiceToken to Pod

Problem: For security reasons, it's best practice to not have `automountServiceToken` on the ServiceAccount, and instead set in directly on the workloads that need the token.

Solution: Set this field on the Pods instead of the ServiceAccounts.

Author: sjberman

charts/nginx-gateway-fabric/templates/deployment.yaml

@@ -35,6 +35,7 @@ spec:
         {{- end }}
       {{- end }}
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller

charts/nginx-gateway-fabric/templates/serviceaccount.yaml

@@ -7,6 +7,7 @@ metadata:
   {{- include "nginx-gateway.labels" . | nindent 4 }}
   annotations:
     {{- toYaml .Values.nginxGateway.serviceAccount.annotations | nindent 4 }}
+automountServiceAccountToken: false
 {{- if or .Values.nginxGateway.serviceAccount.imagePullSecret .Values.nginxGateway.serviceAccount.imagePullSecrets }}
 imagePullSecrets:
   {{- if .Values.nginxGateway.serviceAccount.imagePullSecret }}

deploy/azure/deploy.yaml

@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -252,6 +253,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller

deploy/default/deploy.yaml

@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -252,6 +253,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller

deploy/experimental-nginx-plus/deploy.yaml

@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -256,6 +257,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller

deploy/experimental/deploy.yaml

@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -256,6 +257,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller

deploy/nginx-plus/deploy.yaml

@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -252,6 +253,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller

deploy/nodeport/deploy.yaml

@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -252,6 +253,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller

deploy/openshift/deploy.yaml

@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -273,6 +274,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller

deploy/snippets-filters-nginx-plus/deploy.yaml

@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -254,6 +255,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller

deploy/snippets-filters/deploy.yaml

@@ -4,6 +4,7 @@ metadata:
   name: nginx-gateway
 ---
 apiVersion: v1
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
@@ -254,6 +255,7 @@ spec:
         app.kubernetes.io/instance: nginx-gateway
         app.kubernetes.io/name: nginx-gateway
     spec:
+      automountServiceAccountToken: true
       containers:
       - args:
         - controller

internal/controller/provisioner/objects.go

@@ -117,7 +117,8 @@ func (p *NginxProvisioner) buildNginxResourceObjects(
 	)
 
 	serviceAccount := &corev1.ServiceAccount{
-		ObjectMeta: objectMeta,
+		ObjectMeta:                   objectMeta,
+		AutomountServiceAccountToken: helpers.GetPointer(false),
 	}
 
 	var openshiftObjs []client.Object
@@ -608,6 +609,7 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec(
 			Annotations: podAnnotations,
 		},
 		Spec: corev1.PodSpec{
+			AutomountServiceAccountToken: helpers.GetPointer(true),
 			Containers: []corev1.Container{
 				{
 					Name:            "nginx",