Disable automountServiceAccountToken in the ACME HTTP01 solver Pod

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
2023-01-26 00:11:42 +00:00 · 2023-01-26 00:11:42 +00:00 · e727df6c1d
commit e727df6c1d
parent a0683195f9
1 changed files with 5 additions and 0 deletions
--- a/pkg/issuer/acme/http/pod.go
+++ b/pkg/issuer/acme/http/pod.go
@ -175,6 +175,11 @@ func (s *Solver) buildDefaultPod(ch *cmacme.Challenge) *corev1.Pod {
 			OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(ch, challengeGvk)},
 		},
 		Spec: corev1.PodSpec{
+			// The HTTP01 solver process does not need access to the
+			// Kubernetes API server, so we turn off automounting of
+			// the Kubernetes ServiceAccount token.
+			// See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting
+			AutomountServiceAccountToken: pointer.Bool(false),
 			NodeSelector: map[string]string{
 				"kubernetes.io/os": "linux",
 			},