From e727df6c1dd28bd4f2c6146ce5d6d15bcf0f32d3 Mon Sep 17 00:00:00 2001
From: Richard Wall <richard.wall@jetstack.io>
Date: Thu, 26 Jan 2023 00:11:42 +0000
Subject: [PATCH] Disable automountServiceAccountToken in the ACME HTTP01
 solver Pod

Signed-off-by: Richard Wall <richard.wall@jetstack.io>
---
 pkg/issuer/acme/http/pod.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/pkg/issuer/acme/http/pod.go b/pkg/issuer/acme/http/pod.go
index d15b4c9fa..66d15101b 100644
--- a/pkg/issuer/acme/http/pod.go
+++ b/pkg/issuer/acme/http/pod.go
@@ -175,6 +175,11 @@ func (s *Solver) buildDefaultPod(ch *cmacme.Challenge) *corev1.Pod {
 			OwnerReferences: []metav1.OwnerReference{*metav1.NewControllerRef(ch, challengeGvk)},
 		},
 		Spec: corev1.PodSpec{
+			// The HTTP01 solver process does not need access to the
+			// Kubernetes API server, so we turn off automounting of
+			// the Kubernetes ServiceAccount token.
+			// See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting
+			AutomountServiceAccountToken: pointer.Bool(false),
 			NodeSelector: map[string]string{
 				"kubernetes.io/os": "linux",
 			},