-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
automountServiceAccountToken #1189
Comments
@jinxingwang That would be great to have! |
Can any maintainer share the update on when this will be prioritized? TIA :) |
Need support for automountServiceAccountToken: true by default to access the kube APIs. Fixes kubeflow#1189
Any updates on this issue? we need this for compliance with Azure Government cloud. |
Could you go into a bit more detail on the specific compliance requirements? Is credential auto-mounting disabled in these clusters? |
@jacobsalway Sure "Kubernetes clusters should disable automounting API credentials" - Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters. For more information, see https://aka.ms/kubepolicydoc. So in order to mitigate the above finding need to disable automounting of service account token by setting automountServiceAccountToken = false on all pods. I will mention the idea of the policy is "while obviously some apps require serviceAccount tokens, it shouldn't be mounted by default to avoid misuse, and instead should only be manually (and explicitly) mounted as a volume when needed", example of manually mounting to a pod:
Anyway, this is a required policy for work with Azure Government cloud |
@Aransh Thanks appreciate the details and the links. It would be easy enough to add this as a configurable field to the controller and webhook deployment specs in the Helm chart, however for the actual Spark driver pod to have this field it would require a change to Spark core or to the webhook in the operator or in a pod template spec. Are both required for compliance in this environment? I would imagine so given the driver also needs a service account in order to request and watch executor pods. |
@jacobsalway Yup, both are required for compliance |
Hi Team, Any update on this case? |
On the controller side: I'd suggest modifying the chart to add the On the Spark app side: I would suggest solving this with a pod template. We will support this within the CR in whichever release #2141 ends up in. |
Thanks @jacobsalway |
Anyone want me to support this automountServiceAccountToken feature into spark operator?
The text was updated successfully, but these errors were encountered: