disable injecting unnecessary variables allowing access to k8s API

3429bc77 · Paweł Krupa (paulfantom) · f51e9b14 · 3429bc77 · 3429bc77 · 3429bc77
Commit 3429bc77 authored 3 years ago by Paweł Krupa (paulfantom)
--- a/jsonnet/kube-prometheus/components/alertmanager.libsonnet
+++ b/jsonnet/kube-prometheus/components/alertmanager.libsonnet
@@ -121,6 +121,7 @@ function(params) {
    apiVersion: 'v1',
    kind: 'ServiceAccount',
    metadata: am._metadata,
+    automountServiceAccountToken: false,
  },
  service: {

--- a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
@@ -115,6 +115,7 @@ function(params) {
    apiVersion: 'v1',
    kind: 'ServiceAccount',
    metadata: bb._metadata,
+    automountServiceAccountToken: false,
  },
  clusterRole: {
@@ -238,6 +239,7 @@ function(params) {
          spec: {
            containers: [blackboxExporter, reloader, kubeRbacProxy],
            nodeSelector: { 'kubernetes.io/os': 'linux' },
+            automountServiceAccountToken: true,
            serviceAccountName: 'blackbox-exporter',
            volumes: [{
              name: 'config',

--- a/jsonnet/kube-prometheus/components/grafana.libsonnet
+++ b/jsonnet/kube-prometheus/components/grafana.libsonnet
@@ -88,10 +88,12 @@ function(params)
    // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
    // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
    // 'capabilities: { drop: ['ALL'] }' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/130 gets merged.
+    // FIXME(paulfantom): `automountServiceAccountToken` can be removed after porting to brancz/kuberentes-grafana
    deployment+: {
      spec+: {
        template+: {
          spec+: {
+            automountServiceAccountToken: false,
            containers: std.map(function(c) c {
              securityContext+: {
                allowPrivilegeEscalation: false,

--- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
@@ -129,6 +129,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
          },
        },
        spec+: {
+          automountServiceAccountToken: true,
          containers: std.map(function(c) c {
            ports:: null,
            livenessProbe:: null,

--- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
@@ -114,6 +114,7 @@ function(params) {
    apiVersion: 'v1',
    kind: 'ServiceAccount',
    metadata: ne._metadata,
+    automountServiceAccountToken: false,
  },
  service: {
@@ -240,6 +241,7 @@ function(params) {
              { name: 'sys', hostPath: { path: '/sys' } },
              { name: 'root', hostPath: { path: '/' } },
            ],
+            automountServiceAccountToken: true,
            serviceAccountName: ne._config.name,
            securityContext: {
              runAsUser: 65534,

--- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -253,6 +253,7 @@ function(params) {
          spec: {
            containers: [c],
            serviceAccountName: $.serviceAccount.metadata.name,
+            automountServiceAccountToken: true,
            nodeSelector: { 'kubernetes.io/os': 'linux' },
            volumes: [
              { name: 'tmpfs', emptyDir: {} },
@@ -268,6 +269,7 @@ function(params) {
    apiVersion: 'v1',
    kind: 'ServiceAccount',
    metadata: pa._metadata,
+    automountServiceAccountToken: false,
  },
  clusterRole: {

--- a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
@@ -131,6 +131,7 @@ function(params)
      spec+: {
        template+: {
          spec+: {
+            automountServiceAccountToken: true,
            containers: std.map(function(c) c {
              securityContext+: {
                capabilities: { drop: ['ALL'] },

--- a/jsonnet/kube-prometheus/components/prometheus.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus.libsonnet
@@ -98,6 +98,7 @@ function(params) {
    apiVersion: 'v1',
    kind: 'ServiceAccount',
    metadata: p._metadata,
+    automountServiceAccountToken: false,
  },
  service: {