fix(security): 🐛 🔒️ mount service account token on pod level

mloiseleur · web-flow · commit db4f43f2cbda · 2024-06-06T10:42:04.000+02:00
diff --git a/traefik/templates/_podtemplate.tpl b/traefik/templates/_podtemplate.tpl
@@ -22,6 +22,7 @@
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "traefik.serviceAccountName" . }}
+      automountServiceAccountToken: true
       terminationGracePeriodSeconds: {{ default 60 .Values.deployment.terminationGracePeriodSeconds }}
       hostNetwork: {{ .Values.hostNetwork }}
       {{- with .Values.deployment.dnsPolicy }}
diff --git a/traefik/templates/rbac/serviceaccount.yaml b/traefik/templates/rbac/serviceaccount.yaml
@@ -10,4 +10,5 @@ metadata:
   {{- with .Values.serviceAccountAnnotations }}
   {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: false
 {{- end -}}
diff --git a/traefik/tests/deployment-config_test.yaml b/traefik/tests/deployment-config_test.yaml
@@ -2,11 +2,26 @@ suite: Deployment configuration
 templates:
   - deployment.yaml
 tests:
-  - it: should have 1 replica by default
+  - it: should provide expected defaults
     asserts:
       - equal:
           path: spec.replicas
           value: 1
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: true
+      - equal:
+          path: spec.strategy.type
+          value: RollingUpdate
+      - equal:
+          path: spec.strategy.rollingUpdate.maxUnavailable
+          value: 0
+      - equal:
+          path: spec.strategy.rollingUpdate.maxSurge
+          value: 1
+      - equal:
+          path: metadata.namespace
+          value: NAMESPACE
   - it: should have the specified amount of replicas when specified via values
     set:
       deployment:
@@ -23,17 +38,6 @@ tests:
       - equal:
           path: spec.revisionHistoryLimit
           value: 1
-  - it: should have a rollingUpdate strategy with default values
-    asserts:
-      - equal:
-          path: spec.strategy.type
-          value: RollingUpdate
-      - equal:
-          path: spec.strategy.rollingUpdate.maxUnavailable
-          value: 0
-      - equal:
-          path: spec.strategy.rollingUpdate.maxSurge
-          value: 1
   - it: should have a custom merged rollingUpdate strategy with specified values
     set:
       updateStrategy:
@@ -160,11 +164,6 @@ tests:
       - equal:
           path: spec.strategy.type
           value: OnDelete
-  - it: should use helm managed namespace as default behavior
-    asserts:
-      - equal:
-          path: metadata.namespace
-          value: NAMESPACE
   - it: should accept overridden namespace
     set:
       namespaceOverride: "traefik-ns-override"
diff --git a/traefik/tests/rbac-config_test.yaml b/traefik/tests/rbac-config_test.yaml
@@ -28,6 +28,10 @@ tests:
           path: metadata.name
           value: RELEASE-NAME-traefik
         template: rbac/serviceaccount.yaml
+      - equal:
+          path: automountServiceAccountToken
+          value: false
+        template: rbac/serviceaccount.yaml
       - equal:
           path: spec.template.spec.serviceAccountName
           value: RELEASE-NAME-traefik
