From f52315e5c98f8d8cbad517c70c866387f31107c5 Mon Sep 17 00:00:00 2001 From: Saylor Berman Date: Tue, 1 Jul 2025 09:21:20 -0600 Subject: [PATCH] Move automountServiceToken to Pod Problem: For security reasons, it's best practice to not have `automountServiceToken` on the ServiceAccount, and instead set in directly on the workloads that need the token. Solution: Set this field on the Pods instead of the ServiceAccounts. --- charts/nginx-gateway-fabric/templates/deployment.yaml | 1 + charts/nginx-gateway-fabric/templates/serviceaccount.yaml | 1 + deploy/azure/deploy.yaml | 2 ++ deploy/default/deploy.yaml | 2 ++ deploy/experimental-nginx-plus/deploy.yaml | 2 ++ deploy/experimental/deploy.yaml | 2 ++ deploy/nginx-plus/deploy.yaml | 2 ++ deploy/nodeport/deploy.yaml | 2 ++ deploy/openshift/deploy.yaml | 2 ++ deploy/snippets-filters-nginx-plus/deploy.yaml | 2 ++ deploy/snippets-filters/deploy.yaml | 2 ++ internal/controller/provisioner/objects.go | 4 +++- 12 files changed, 23 insertions(+), 1 deletion(-) diff --git a/charts/nginx-gateway-fabric/templates/deployment.yaml b/charts/nginx-gateway-fabric/templates/deployment.yaml index 8fee4b36f2..6b34a7e97c 100644 --- a/charts/nginx-gateway-fabric/templates/deployment.yaml +++ b/charts/nginx-gateway-fabric/templates/deployment.yaml @@ -35,6 +35,7 @@ spec: {{- end }} {{- end }} spec: + automountServiceAccountToken: true containers: - args: - controller diff --git a/charts/nginx-gateway-fabric/templates/serviceaccount.yaml b/charts/nginx-gateway-fabric/templates/serviceaccount.yaml index fa3439759d..98fb891a80 100644 --- a/charts/nginx-gateway-fabric/templates/serviceaccount.yaml +++ b/charts/nginx-gateway-fabric/templates/serviceaccount.yaml @@ -7,6 +7,7 @@ metadata: {{- include "nginx-gateway.labels" . | nindent 4 }} annotations: {{- toYaml .Values.nginxGateway.serviceAccount.annotations | nindent 4 }} +automountServiceAccountToken: false {{- if or .Values.nginxGateway.serviceAccount.imagePullSecret .Values.nginxGateway.serviceAccount.imagePullSecrets }} imagePullSecrets: {{- if .Values.nginxGateway.serviceAccount.imagePullSecret }} diff --git a/deploy/azure/deploy.yaml b/deploy/azure/deploy.yaml index 7e29ea1c66..0a7e457685 100644 --- a/deploy/azure/deploy.yaml +++ b/deploy/azure/deploy.yaml @@ -4,6 +4,7 @@ metadata: name: nginx-gateway --- apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: labels: @@ -252,6 +253,7 @@ spec: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway spec: + automountServiceAccountToken: true containers: - args: - controller diff --git a/deploy/default/deploy.yaml b/deploy/default/deploy.yaml index 199131b2a4..4324fc92f7 100644 --- a/deploy/default/deploy.yaml +++ b/deploy/default/deploy.yaml @@ -4,6 +4,7 @@ metadata: name: nginx-gateway --- apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: labels: @@ -252,6 +253,7 @@ spec: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway spec: + automountServiceAccountToken: true containers: - args: - controller diff --git a/deploy/experimental-nginx-plus/deploy.yaml b/deploy/experimental-nginx-plus/deploy.yaml index 46844c4e47..f0ac53ba0d 100644 --- a/deploy/experimental-nginx-plus/deploy.yaml +++ b/deploy/experimental-nginx-plus/deploy.yaml @@ -4,6 +4,7 @@ metadata: name: nginx-gateway --- apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: labels: @@ -256,6 +257,7 @@ spec: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway spec: + automountServiceAccountToken: true containers: - args: - controller diff --git a/deploy/experimental/deploy.yaml b/deploy/experimental/deploy.yaml index 0dbeac7329..ad3cf361a6 100644 --- a/deploy/experimental/deploy.yaml +++ b/deploy/experimental/deploy.yaml @@ -4,6 +4,7 @@ metadata: name: nginx-gateway --- apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: labels: @@ -256,6 +257,7 @@ spec: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway spec: + automountServiceAccountToken: true containers: - args: - controller diff --git a/deploy/nginx-plus/deploy.yaml b/deploy/nginx-plus/deploy.yaml index 73e985ebc2..a966b9e325 100644 --- a/deploy/nginx-plus/deploy.yaml +++ b/deploy/nginx-plus/deploy.yaml @@ -4,6 +4,7 @@ metadata: name: nginx-gateway --- apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: labels: @@ -252,6 +253,7 @@ spec: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway spec: + automountServiceAccountToken: true containers: - args: - controller diff --git a/deploy/nodeport/deploy.yaml b/deploy/nodeport/deploy.yaml index a2725a6473..d151c82319 100644 --- a/deploy/nodeport/deploy.yaml +++ b/deploy/nodeport/deploy.yaml @@ -4,6 +4,7 @@ metadata: name: nginx-gateway --- apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: labels: @@ -252,6 +253,7 @@ spec: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway spec: + automountServiceAccountToken: true containers: - args: - controller diff --git a/deploy/openshift/deploy.yaml b/deploy/openshift/deploy.yaml index 99485c69bd..278b7abc14 100644 --- a/deploy/openshift/deploy.yaml +++ b/deploy/openshift/deploy.yaml @@ -4,6 +4,7 @@ metadata: name: nginx-gateway --- apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: labels: @@ -273,6 +274,7 @@ spec: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway spec: + automountServiceAccountToken: true containers: - args: - controller diff --git a/deploy/snippets-filters-nginx-plus/deploy.yaml b/deploy/snippets-filters-nginx-plus/deploy.yaml index 6cc0026877..7461912539 100644 --- a/deploy/snippets-filters-nginx-plus/deploy.yaml +++ b/deploy/snippets-filters-nginx-plus/deploy.yaml @@ -4,6 +4,7 @@ metadata: name: nginx-gateway --- apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: labels: @@ -254,6 +255,7 @@ spec: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway spec: + automountServiceAccountToken: true containers: - args: - controller diff --git a/deploy/snippets-filters/deploy.yaml b/deploy/snippets-filters/deploy.yaml index 9bb597289d..d23d775600 100644 --- a/deploy/snippets-filters/deploy.yaml +++ b/deploy/snippets-filters/deploy.yaml @@ -4,6 +4,7 @@ metadata: name: nginx-gateway --- apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: labels: @@ -254,6 +255,7 @@ spec: app.kubernetes.io/instance: nginx-gateway app.kubernetes.io/name: nginx-gateway spec: + automountServiceAccountToken: true containers: - args: - controller diff --git a/internal/controller/provisioner/objects.go b/internal/controller/provisioner/objects.go index 3b43ac8b66..774b29110c 100644 --- a/internal/controller/provisioner/objects.go +++ b/internal/controller/provisioner/objects.go @@ -117,7 +117,8 @@ func (p *NginxProvisioner) buildNginxResourceObjects( ) serviceAccount := &corev1.ServiceAccount{ - ObjectMeta: objectMeta, + ObjectMeta: objectMeta, + AutomountServiceAccountToken: helpers.GetPointer(false), } var openshiftObjs []client.Object @@ -608,6 +609,7 @@ func (p *NginxProvisioner) buildNginxPodTemplateSpec( Annotations: podAnnotations, }, Spec: corev1.PodSpec{ + AutomountServiceAccountToken: helpers.GetPointer(true), Containers: []corev1.Container{ { Name: "nginx",