diff --git a/internal/infrastructure/kubernetes/proxy/resource_provider.go b/internal/infrastructure/kubernetes/proxy/resource_provider.go index 2f82aeeee7..4d5eb1ea02 100644 --- a/internal/infrastructure/kubernetes/proxy/resource_provider.go +++ b/internal/infrastructure/kubernetes/proxy/resource_provider.go @@ -147,6 +147,7 @@ func (r *ResourceRender) ServiceAccount() (*corev1.ServiceAccount, error) { Kind: "ServiceAccount", APIVersion: "v1", }, + AutomountServiceAccountToken: ptr.To(false), ObjectMeta: metav1.ObjectMeta{ Namespace: r.Namespace(), Name: r.Name(), @@ -389,6 +390,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) { Annotations: podAnnotations, }, Spec: corev1.PodSpec{ + AutomountServiceAccountToken: ptr.To(false), Containers: containers, InitContainers: deploymentConfig.InitContainers, ServiceAccountName: r.Name(), @@ -627,6 +629,7 @@ func (r *ResourceRender) getPodSpec( proxyConfig *egv1a1.EnvoyProxy, ) corev1.PodSpec { return corev1.PodSpec{ + AutomountServiceAccountToken: ptr.To(false), Containers: containers, InitContainers: initContainers, ServiceAccountName: r.Name(), diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml index ff31a812d8..eb41b2ac52 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/component-level.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml index 7cdecd25fe..5a56810905 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/custom.yaml @@ -38,6 +38,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml index d6156776e0..eb3cb2d11a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default-env.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml index 8c54cb83b2..85493cc195 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/default.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml index f924e5ed40..5798d28861 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/disable-prometheus.yaml @@ -33,6 +33,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml index 2df7c8d857..8da12ec97b 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/extension-env.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/gateway-namespace-mode.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/gateway-namespace-mode.yaml index c516be2ffa..1886746441 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/gateway-namespace-mode.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/gateway-namespace-mode.yaml @@ -40,6 +40,7 @@ spec: gateway.envoyproxy.io/owning-gateway-namespace: ns1 gateway.networking.k8s.io/gateway-name: gateway-1 spec: + automountServiceAccountToken: false containers: - args: - --service-cluster ns1/gateway-1 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml index cc445987de..692f9b5b55 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/override-labels-and-annotations.yaml @@ -46,6 +46,7 @@ spec: label1: value1-override label2: value2 spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml index 7264a3c373..4059267689 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/patch-daemonset.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml index efed3e8e48..78cc0b6b28 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/shutdown-manager.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml index ce59705329..78da341b7d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/volumes.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml index 27afc755aa..f13e240054 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-annotations.yaml @@ -42,6 +42,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml index ec01b5b917..cee00906f7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-concurrency.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml index 7ea3d4f4cb..6395329313 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-extra-args.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml index 7dda04cb05..d3bfde68a7 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-image-pull-secrets.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml index dc53794b48..72939b5755 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-name.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml index cd1b5d5574..277bee2f37 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-node-selector.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml index bcf812cc7f..0a174dcbcf 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/daemonsets/with-topology-spread-constraints.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml index 27bd1e5fae..e22ab6b7b1 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/bootstrap.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml index ed6cdae2fa..e66ddbdb54 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/component-level.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml index 9bd1c6672a..e96b837aa4 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom.yaml @@ -43,6 +43,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml index e3958eef72..0088db13c9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/custom_with_initcontainers.yaml @@ -43,6 +43,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml index d072518115..251f7fecfe 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default-env.yaml @@ -42,6 +42,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml index 704abe498a..2d104ca9da 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/default.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml index 01ef892824..0d988425b2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/disable-prometheus.yaml @@ -37,6 +37,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml index 2b6971cd43..fa3d0304a2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/dual-stack.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml index df7236ee04..2ba927e8fc 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/extension-env.yaml @@ -42,6 +42,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/gateway-namespace-mode.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/gateway-namespace-mode.yaml index 2265fa7ef1..abaa6eaa34 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/gateway-namespace-mode.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/gateway-namespace-mode.yaml @@ -44,6 +44,7 @@ spec: gateway.envoyproxy.io/owning-gateway-namespace: ns1 gateway.networking.k8s.io/gateway-name: gateway-1 spec: + automountServiceAccountToken: false containers: - args: - --service-cluster ns1/gateway-1 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml index 62b705d6f9..0b5f26b8ab 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/ipv6.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml index b989611bed..fd8320a490 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/override-labels-and-annotations.yaml @@ -50,6 +50,7 @@ spec: label1: value1-override label2: value2 spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml index f51bd4cbde..75b5c0466f 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/patch-deployment.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml index d6960e5088..61098fcd53 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/shutdown-manager.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml index 5fffdbd769..57a77172e2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/volumes.yaml @@ -42,6 +42,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml index 97219fef3a..1e46ab65a6 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-annotations.yaml @@ -46,6 +46,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml index d22cf4fc3f..21798b3bb9 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-concurrency.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml index 1b461b58de..8fddca291a 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-empty-memory-limits.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml index 56249a991c..b9f6849ae3 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-extra-args.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml index e353f42147..d40f50a442 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-image-pull-secrets.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml index 49adf4c3ef..5dcc3df825 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-name.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml index 7d3816b79f..ef27a5ff95 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml index 3b993596d7..6d81fc8463 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/deployments/with-topology-spread-constraints.yaml @@ -41,6 +41,7 @@ spec: gateway.envoyproxy.io/owning-gateway-name: default gateway.envoyproxy.io/owning-gateway-namespace: default spec: + automountServiceAccountToken: false containers: - args: - --service-cluster default diff --git a/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/deployment.yaml b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/deployment.yaml index e564124906..8d1198c7e8 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/deployment.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/deployment.yaml @@ -44,6 +44,7 @@ spec: gateway.envoyproxy.io/owning-gateway-namespace: namespace-1 gateway.networking.k8s.io/gateway-name: gateway-1 spec: + automountServiceAccountToken: false containers: - args: - --service-cluster namespace-1/gateway-1 @@ -457,6 +458,7 @@ spec: gateway.envoyproxy.io/owning-gateway-namespace: namespace-2 gateway.networking.k8s.io/gateway-name: gateway-2 spec: + automountServiceAccountToken: false containers: - args: - --service-cluster namespace-2/gateway-2 diff --git a/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/serviceaccount.yaml b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/serviceaccount.yaml index 693abe294e..e625b2453d 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/serviceaccount.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/gateway-namespace-mode/serviceaccount.yaml @@ -1,4 +1,5 @@ apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: creationTimestamp: null @@ -18,6 +19,7 @@ metadata: uid: test-owner-reference-uid-for-gateway --- apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: creationTimestamp: null diff --git a/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/default.yaml b/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/default.yaml index 64c93e6885..919cdd96e6 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/default.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/default.yaml @@ -1,4 +1,5 @@ apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: creationTimestamp: null diff --git a/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/gateway-namespace-mode.yaml b/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/gateway-namespace-mode.yaml index 3fe4a95363..15a0177ef2 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/gateway-namespace-mode.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/gateway-namespace-mode.yaml @@ -1,4 +1,5 @@ apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: creationTimestamp: null diff --git a/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/with-annotations.yaml b/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/with-annotations.yaml index 64254aa798..6784d43928 100644 --- a/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/with-annotations.yaml +++ b/internal/infrastructure/kubernetes/proxy/testdata/serviceaccount/with-annotations.yaml @@ -1,4 +1,5 @@ apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: annotations: diff --git a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go index 79c2c6e69d..7332cef6f6 100644 --- a/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go +++ b/internal/infrastructure/kubernetes/proxy_serviceaccount_test.go @@ -61,6 +61,7 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { Kind: "ServiceAccount", APIVersion: "v1", }, + AutomountServiceAccountToken: ptr.To(false), ObjectMeta: metav1.ObjectMeta{ Namespace: "test", Name: "envoy-test-9f86d081", @@ -109,6 +110,7 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { Kind: "ServiceAccount", APIVersion: "v1", }, + AutomountServiceAccountToken: ptr.To(false), ObjectMeta: metav1.ObjectMeta{ Namespace: "test", Name: "envoy-test-9f86d081", @@ -153,6 +155,7 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { Kind: "ServiceAccount", APIVersion: "v1", }, + AutomountServiceAccountToken: ptr.To(false), ObjectMeta: metav1.ObjectMeta{ Namespace: "test", Name: "very-long-name-that-will-be-hashed-and-cut-off-because-its-too-long", @@ -169,6 +172,7 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { Kind: "ServiceAccount", APIVersion: "v1", }, + AutomountServiceAccountToken: ptr.To(false), ObjectMeta: metav1.ObjectMeta{ Namespace: "test", Name: "envoy-very-long-name-that-will-be-hashed-and-cut-off-b-5bacc75e", @@ -215,6 +219,7 @@ func TestCreateOrUpdateProxyServiceAccount(t *testing.T) { Kind: "ServiceAccount", APIVersion: "v1", }, + AutomountServiceAccountToken: ptr.To(false), ObjectMeta: metav1.ObjectMeta{ Namespace: "ns1", Name: "gateway-1", diff --git a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go index 3aaf6d0bea..31654b4cda 100644 --- a/internal/infrastructure/kubernetes/ratelimit/resource_provider.go +++ b/internal/infrastructure/kubernetes/ratelimit/resource_provider.go @@ -174,6 +174,7 @@ func (r *ResourceRender) ServiceAccount() (*corev1.ServiceAccount, error) { Kind: ResourceKindServiceAccount, APIVersion: apiVersion, }, + AutomountServiceAccountToken: ptr.To(false), ObjectMeta: metav1.ObjectMeta{ Namespace: r.Namespace(), Name: InfraName, diff --git a/internal/infrastructure/kubernetes/ratelimit/testdata/envoy-ratelimit-serviceaccount.yaml b/internal/infrastructure/kubernetes/ratelimit/testdata/envoy-ratelimit-serviceaccount.yaml index 05b389768d..c11aaac1e3 100644 --- a/internal/infrastructure/kubernetes/ratelimit/testdata/envoy-ratelimit-serviceaccount.yaml +++ b/internal/infrastructure/kubernetes/ratelimit/testdata/envoy-ratelimit-serviceaccount.yaml @@ -1,4 +1,5 @@ apiVersion: v1 +automountServiceAccountToken: false kind: ServiceAccount metadata: name: envoy-ratelimit diff --git a/internal/infrastructure/kubernetes/ratelimit_serviceaccount_test.go b/internal/infrastructure/kubernetes/ratelimit_serviceaccount_test.go index ecf366eeff..62c854db91 100644 --- a/internal/infrastructure/kubernetes/ratelimit_serviceaccount_test.go +++ b/internal/infrastructure/kubernetes/ratelimit_serviceaccount_test.go @@ -17,6 +17,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" + "k8s.io/utils/ptr" "sigs.k8s.io/controller-runtime/pkg/client" fakeclient "sigs.k8s.io/controller-runtime/pkg/client/fake" @@ -50,6 +51,7 @@ func TestCreateOrUpdateRateLimitServiceAccount(t *testing.T) { Kind: "ServiceAccount", APIVersion: "v1", }, + AutomountServiceAccountToken: ptr.To(false), ObjectMeta: metav1.ObjectMeta{ Namespace: "envoy-gateway-system", Name: ratelimit.InfraName, @@ -72,6 +74,7 @@ func TestCreateOrUpdateRateLimitServiceAccount(t *testing.T) { Kind: "ServiceAccount", APIVersion: "v1", }, + AutomountServiceAccountToken: ptr.To(false), ObjectMeta: metav1.ObjectMeta{ Namespace: "envoy-gateway-system", Name: ratelimit.InfraName, diff --git a/release-notes/current.yaml b/release-notes/current.yaml index 527a7f474f..50832849a8 100644 --- a/release-notes/current.yaml +++ b/release-notes/current.yaml @@ -6,6 +6,7 @@ breaking changes: | # Updates addressing vulnerabilities, security flaws, or compliance requirements. security updates: | + Disable automountServiceAccountToken for proxy and ratelimit deployments and serviceAccounts # New features or capabilities added in this release. new features: |