Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] Allow disabling service account token mount for Loki gateway #3536

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Security] Allow disabling service account token mount for Loki gateway #3536

wants to merge 1 commit into from
+2 −0

Conversation

marioasabella
Copy link

@marioasabella marioasabella commented Jan 21, 2025
edited
Loading

What this PR does / why we need it:

Adds the ability to disable service account token automounting for the Loki gateway component. Since the gateway functions primarily as a reverse proxy/authentication layer and does not require access to the Kubernetes API for its core functionality, this enhancement allows users to follow security best practices by reducing unnecessary access.

Which issue(s) this PR fixes:

N/A

Special notes for your reviewer:

  • Maintains backward compatibility by defaulting automountServiceAccountToken to true
  • Only affects the gateway component which doesn't need Kubernetes API access
  • Follows the principle of least privilege by allowing users to disable unnecessary API access

Changes:

  • Added gateway.serviceAccount.automountServiceAccountToken configuration option
  • Modified gateway deployment template to respect this setting

Checklist:

  • Follows security best practices
  • Maintains backward compatibility

Example configuration:

gateway:
  serviceAccount:
    automountServiceAccountToken: false

@marioasabella
Add ability to disable service account token mount for gateway
ab4ac38 
The Loki gateway acts as a reverse proxy and doesn't require
Kubernetes API access. This change allows users to disable service
account token mounting for better security posture.
@CLAassistant
Copy link

CLAassistant commented Jan 21, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@marioasabella marioasabella changed the title Main [Security] Allow disabling service account token mount for Loki gateway Jan 21, 2025
@marioasabella marioasabella marked this pull request as ready for review January 21, 2025 16:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@unguiculus unguiculus Awaiting requested review from unguiculus unguiculus is a code owner

@Whyeasy Whyeasy Awaiting requested review from Whyeasy Whyeasy is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@marioasabella @CLAassistant