You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm experimenting with nginx-gateway-fabric on a cluster not managed by myself. This cluster has quite stringent security requirements enforced by gatekeeper that denies certain configuration on certain resources.
One of them is requiring that all ServiceAccount objects have explicitly set: automountServiceAccountToken: false
The deployment is still allowed to explicitly set auto mounting of the service account to true:
spec:
automountServiceAccountToken: true
As far as I can tell this has the exact same functionality from the Pod's perspective.
Would it be feasible to do this on all service accounts in nginx-gateway-fabric? More specifically:
In the Helm chart template or allow it to be controlled through helm values
In the ServiceAccount of the data plane that is dynamically created by the control plane based on the Gateway spec
I can work around the first one by inlining the chart and changing the template but it's annoying when having to upgrade to newer chart versions so ideally it would be controllable by chart values or just be the default.
The second thing is more problematic since I don't seem to have a way to define this on the dynamically created data plan ServiceAccount and Deployment. I can only change annotations and labels through the Gateway infrastructure yaml section.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
I'm experimenting with nginx-gateway-fabric on a cluster not managed by myself. This cluster has quite stringent security requirements enforced by gatekeeper that denies certain configuration on certain resources.
One of them is requiring that all ServiceAccount objects have explicitly set:
automountServiceAccountToken: falseThe deployment is still allowed to explicitly set auto mounting of the service account to true:
As far as I can tell this has the exact same functionality from the Pod's perspective.
Would it be feasible to do this on all service accounts in nginx-gateway-fabric? More specifically:
I can work around the first one by inlining the chart and changing the template but it's annoying when having to upgrade to newer chart versions so ideally it would be controllable by chart values or just be the default.
The second thing is more problematic since I don't seem to have a way to define this on the dynamically created data plan ServiceAccount and Deployment. I can only change annotations and labels through the Gateway infrastructure yaml section.
Thanks for you feedback.
Beta Was this translation helpful? Give feedback.
All reactions