gsingh935 opened a new pull request, #45056: URL: https://github.com/apache/airflow/pull/45056
Setting automountServiceAccountToken: true in a Kubernetes Pod's specification ensures that the pod automatically mounts a service account token, granting it access to the Kubernetes API. While this is necessary for applications that interact with the API, enabling this feature indiscriminately can introduce several security risks: **Excessive Permissions**: By default, the mounted service account token may have broader permissions than the pod requires. If an attacker compromises the pod, they could exploit these permissions to perform unauthorized actions within the cluster. **Privilege Escalation**: A compromised pod with an automatically mounted service account token can interact with the Kubernetes API, potentially allowing an attacker to escalate privileges and gain control over additional cluster resources. **Increased Attack Surface**: Mounting the service account token into a pod's filesystem increases the pod's attack surface, making it more susceptible to security breaches. Best Practices: Disable Automatic Mounting : Set automountServiceAccountToken: false for pods that do not require interaction with the Kubernetes API. This minimizes the risk by ensuring that only pods needing API access have the token mounted. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
