Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Use ServiceAccountName for impersonation #180

Merged
merged 3 commits into from
Nov 20, 2020
Merged

Use ServiceAccountName for impersonation #180

merged 3 commits into from
Nov 20, 2020

Conversation

stefanprodan
Copy link
Member

@stefanprodan stefanprodan commented Nov 20, 2020
edited
Loading

Drop the ServiceAccount field in favour of ServiceAccountName to prevent privilege escalation in multi-tenancy environments.

Breaking change, from:

spec:
  serviceAccount:
    name: webapp-reconciler
    namespace: webapp

to:

spec:
  serviceAccountName: webapp-reconciler

Fix: #179

@stefanprodan
Use ServiceAccountName for impersonation
0c91702 
Drop the ServiceAccount field in favour of ServiceAccountName to prevent privilege escalation in multi-tenancy environments.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
@stefanprodan stefanprodan added the area/kustomize Kustomize related issues and pull requests label Nov 20, 2020
@stefanprodan stefanprodan requested a review from hiddeco November 20, 2020 09:02
@stefanprodan
Add impersonation e2e test
c150d15 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
@stefanprodan
Document that KubeConfig takes precedence over ServiceAccountName
8f7f0d8 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
@stefanprodan stefanprodan merged commit 59b1134 into main Nov 20, 2020
@stefanprodan stefanprodan deleted the sa branch November 20, 2020 10:13
@relu relu mentioned this pull request Nov 20, 2020
Merged
relu added a commit to relu/flux2 that referenced this pull request Nov 20, 2020
@relu
Adjustments to support new sa name in kustomize
53a1db0 
Supporting changes in fluxcd/kustomize-controller#180

Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@hiddeco hiddeco hiddeco approved these changes

Assignees
No one assigned
Labels
area/kustomize Kustomize related issues and pull requests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Restrict service account impersonation
2 participants
@stefanprodan @hiddeco