-
Bug
-
Resolution: Done
-
Minor
-
None
-
None
-
Quality / Stability / Reliability
-
False
-
-
3
-
None
-
None
-
Multi-Arch Sprint 268, Multi-Arch Sprint 269, Multi-Arch Sprint 270, Multi-Arch Sprint 271, Multi-Arch Sprint 272, Multi-Arch Sprint 273, MTO Sprint 277
-
None
-
None
-
None
When the coverity check runs in the operator build pipeline, the following warning is raised:
[
"The service account token is automatically mounted for a `Kubernetes.Pod` or `Kubernetes.ServiceAccount`. Auto-mounting the service account token means this shared bearer token will be written to the container file system at `/var/run/secrets/kubernetes.io/serviceaccount`. If an attacker were to compromise the container, this token can easily be used to elevate privileges, interact with the Kubernetes API, and pivot to other resources."
]
Discuss with konflux/releng, operator-framework/kubebuilder, or both, whether we need to take any action in the code to interact with the Kubernetes API differently than through the service account token automounted in the manager pod.
If not, we may need an exclusion rule for this test.
Acceptance criteria:
- Describe in this jira how and why the warning is resolved.
- The warning is resolved, either by changes in the code or through an exclusion rule
Docs:
https://docs.google.com/document/d/1zSiSDfjpUIDqSND2QFWgHvEg6Pr8mJ6DbVYFBX7eJQI/edit?tab=t.0