Skip to content

Added AutoMountServiceAccountToken Volume and VolumeMount #46

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ababu13 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Added AutoMountServiceAccountToken Volume and VolumeMount #46

ababu13 wants to merge 1 commit into from

Conversation

@ababu13
Copy link

@ababu13 ababu13 commented Aug 20, 2025

Summary

This PR introduces changes to the AppDynamics Operator pod spec to handle Kubernetes’ automountServiceAccountToken (AMT) security requirement.
By default, Kubernetes automatically mounts the ServiceAccount token into pods through automountServiceAccountToken: true. However, some security scanners and compliance tools flag this as a violation, because pods should not have an auto-mounted token unless explicitly required.

To resolve this, we make the token mounting explicit and controlled:
Added the automountServiceAccountToken field to the operator pod definition (default true in values.yaml, but can be overridden).
Introduced manual volumes and volumeMounts for the ServiceAccount token, CA certificate, and namespace data, ensuring that the operator can still communicate with the Kubernetes API even when automountServiceAccountToken: false.

Technical Details

  1. Helm Chart Updates
  • Added automountServiceAccountToken to values.yaml under operatorPod (default: true).
  • Added volumeMounts and volumes configuration to values.yaml for manual mounting.
  1. Deployment Manifest Updates
  • If .Values.operatorPod.automountServiceAccountToken is set to false, the operator pod will not auto-mount the token.
  • Instead, a projected kube-api-access volume is defined and mounted manually:
volumes:
  - name: kube-api-access
    projected:
      defaultMode: 0444
      sources:
      - serviceAccountToken:
          path: token
          expirationSeconds: 3600
      - configMap:
          name: kube-root-ca.crt
          items:
            - key: ca.crt
              path: ca.crt
      - downwardAPI:
          items:
            - path: namespace
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace
volumeMounts:
  - name: kube-api-access
    mountPath: /var/run/secrets/kubernetes.io/serviceaccount
    readOnly: true
  • This manual setup mimics the default ServiceAccount mounting but gives us fine-grained control and avoids compliance violations.

Why This Change?

Problem: If we disable automountServiceAccountToken, pods fail because they cannot authenticate to the Kubernetes API.

Solution: Provide explicit volumes and volumeMounts that replicate the default mount behavior. This ensures the operator continues functioning while resolving security/compliance violations.

Benefits

  • Eliminates AMT security violations flagged by compliance tools.
  • Retains operator functionality when AMT is disabled.
  • Makes token mounting explicit and configurable via values.yaml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ababu13