MLE-21295: Enforce automountServiceAccountToken=false #96
Conversation
rwinieski
requested review from
vitalykorolev,
pengzhouml,
barkhachoithani,
sumanthravipati and
Copilot
There was a problem hiding this comment.
Pull Request Overview
This PR enforces security by setting automountServiceAccountToken=false for MarkLogic pods in Kubernetes. This prevents automatic mounting of service account tokens, reducing the attack surface by eliminating unnecessary access to the Kubernetes API from pods.
- Added
AutomountServiceAccountTokenfield to cluster and group specifications with a default value offalse - Updated StatefulSet generation to enforce the security setting
- Updated sample configurations with new image versions
Reviewed Changes
Copilot reviewed 10 out of 11 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/k8sutil/statefulset.go | Added parameter and logic to set automountServiceAccountToken=false on StatefulSets |
| pkg/k8sutil/marklogicServer.go | Added parameter passing for automountServiceAccountToken setting |
| api/v1/marklogicgroup_types.go | Added AutomountServiceAccountToken field to MarklogicGroupSpec |
| api/v1/marklogiccluster_types.go | Added AutomountServiceAccountToken field to MarklogicClusterSpec |
| config/crd/bases/*.yaml | Updated CRD definitions to include automountServiceAccountToken field |
| api/v1/zz_generated.deepcopy.go | Generated deep copy methods for new field |
| config/samples/*.yaml | Updated sample configurations with newer image versions |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| // Always enforce automountServiceAccountToken to false for security | ||
| falseValue := false | ||
|
|
||
| params := statefulSetParameters{ |
There was a problem hiding this comment.
[nitpick] Consider using a package-level constant for the false value instead of declaring it locally in each function. This would improve consistency and make the security requirement more explicit.
Copilot uses AI. Check for mistakes.
| // Always enforce automountServiceAccountToken to false for security | ||
| falseValue := false | ||
|
|
||
| markLogicGroupParameters := &MarkLogicGroupParameters{ |
There was a problem hiding this comment.
[nitpick] Consider using a package-level constant for the false value instead of declaring it locally in each function. This would improve consistency and make the security requirement more explicit.
Copilot uses AI. Check for mistakes.
No description provided.