install/kubernetes: restrict k8s access for relay

It seems relay has no interaction with Kubernetes, and as such, it does not need (cluster)roles/-bindings or a mounted SA token. This prevents attackers from doing nasty stuff on behalf of relay. Fixes: e9cb43c ("Helm: full refactor of helm charts..") Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>
cilium · Jul 22, 2021 · 2857b3e · 2857b3e
1 parent a615288
commit 2857b3e
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 34 deletions.
diff --git a/install/kubernetes/cilium/templates/hubble-relay/clusterrole.yaml b/install/kubernetes/cilium/templates/hubble-relay/clusterrole.yaml
diff --git a/install/kubernetes/cilium/templates/hubble-relay/clusterrolebinding.yaml b/install/kubernetes/cilium/templates/hubble-relay/clusterrolebinding.yaml
diff --git a/install/kubernetes/cilium/templates/hubble-relay/deployment.yaml b/install/kubernetes/cilium/templates/hubble-relay/deployment.yaml
@@ -85,6 +85,7 @@ spec:
       restartPolicy: Always
       serviceAccount: {{ .Values.serviceAccounts.relay.name | quote }}
       serviceAccountName: {{ .Values.serviceAccounts.relay.name | quote }}
+      automountServiceAccountToken: false
       terminationGracePeriodSeconds: 0
 {{- with .Values.hubble.relay.nodeSelector }}
       nodeSelector: