From 2a147e9cf5389dc7b9d65651c214903cfc266002 Mon Sep 17 00:00:00 2001
From: gsingh935 <72580717+gsingh935@users.noreply.github.com>
Date: Wed, 18 Dec 2024 20:22:21 +0000
Subject: [PATCH 1/6] Set automountServiceAccountToken: false  for statsd,
 workers, pgbouncer and webserver

fix(security): disable automatic mounting of service account tokens to enhance pod security
---
 chart/values.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/chart/values.yaml b/chart/values.yaml
index adf68c3a194d3..63ce968ed1d82 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -612,7 +612,7 @@ workers:
   serviceAccount:
     # default value is true
     # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
-    automountServiceAccountToken: true
+    automountServiceAccountToken: false
     # Specifies whether a ServiceAccount should be created
     create: true
     # The name of the ServiceAccount to use.
@@ -1416,7 +1416,7 @@ webserver:
   serviceAccount:
     # default value is true
     # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
-    automountServiceAccountToken: true
+    automountServiceAccountToken: false
     # Specifies whether a ServiceAccount should be created
     create: true
     # The name of the ServiceAccount to use.
@@ -2096,7 +2096,7 @@ statsd:
   serviceAccount:
     # default value is true
     # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
-    automountServiceAccountToken: true
+    automountServiceAccountToken: false
     # Specifies whether a ServiceAccount should be created
     create: true
     # The name of the ServiceAccount to use.
@@ -2181,7 +2181,7 @@ pgbouncer:
   serviceAccount:
     # default value is true
     # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
-    automountServiceAccountToken: true
+    automountServiceAccountToken: false
     # Specifies whether a ServiceAccount should be created
     create: true
     # The name of the ServiceAccount to use.

From 2c1b3c475472b404755b169a37ea9c2a4e997a3a Mon Sep 17 00:00:00 2001
From: gsingh935 <72580717+gsingh935@users.noreply.github.com>
Date: Thu, 19 Dec 2024 08:08:45 +0000
Subject: [PATCH 2/6] Reverting automountserviceaccount to original value for
 worker

---
 chart/values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/chart/values.yaml b/chart/values.yaml
index 63ce968ed1d82..ef8888d87ed9e 100644
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -612,7 +612,7 @@ workers:
   serviceAccount:
     # default value is true
     # ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
-    automountServiceAccountToken: false
+    automountServiceAccountToken: true
     # Specifies whether a ServiceAccount should be created
     create: true
     # The name of the ServiceAccount to use.

From ee39a47c54dc46ad51e247b96546db0245d707cc Mon Sep 17 00:00:00 2001
From: gsingh935 <72580717+gsingh935@users.noreply.github.com>
Date: Thu, 19 Dec 2024 11:20:41 +0000
Subject: [PATCH 3/6] Set automountServiceAccountToken: false for webserver

---
 helm_tests/webserver/test_webserver.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm_tests/webserver/test_webserver.py b/helm_tests/webserver/test_webserver.py
index c0014b6f62a56..9e0d897445951 100644
--- a/helm_tests/webserver/test_webserver.py
+++ b/helm_tests/webserver/test_webserver.py
@@ -1189,7 +1189,7 @@ def test_default_automount_service_account_token(self):
             },
             show_only=["templates/webserver/webserver-serviceaccount.yaml"],
         )
-        assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+        assert jmespath.search("automountServiceAccountToken", docs[0]) is False
 
     def test_overridden_automount_service_account_token(self):
         docs = render_chart(

From 08a07a5455608e99df539aa5515878252ea2153f Mon Sep 17 00:00:00 2001
From: gsingh935 <72580717+gsingh935@users.noreply.github.com>
Date: Thu, 19 Dec 2024 11:21:19 +0000
Subject: [PATCH 4/6] Update test_pgbouncer.py

---
 helm_tests/other/test_pgbouncer.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm_tests/other/test_pgbouncer.py b/helm_tests/other/test_pgbouncer.py
index 04b84d2325b09..2b2a483397af3 100644
--- a/helm_tests/other/test_pgbouncer.py
+++ b/helm_tests/other/test_pgbouncer.py
@@ -724,7 +724,7 @@ def test_default_automount_service_account_token(self):
             },
             show_only=["templates/pgbouncer/pgbouncer-serviceaccount.yaml"],
         )
-        assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+        assert jmespath.search("automountServiceAccountToken", docs[0]) is False
 
     def test_overridden_automount_service_account_token(self):
         docs = render_chart(

From 3af3411e2be687d4dfef12c618d68aff6ebed7cd Mon Sep 17 00:00:00 2001
From: gsingh935 <72580717+gsingh935@users.noreply.github.com>
Date: Thu, 19 Dec 2024 11:21:49 +0000
Subject: [PATCH 5/6] Update test_statsd.py

---
 helm_tests/other/test_statsd.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/helm_tests/other/test_statsd.py b/helm_tests/other/test_statsd.py
index d54efc0f9e457..52bc8af60d5ad 100644
--- a/helm_tests/other/test_statsd.py
+++ b/helm_tests/other/test_statsd.py
@@ -377,7 +377,7 @@ def test_default_automount_service_account_token(self):
             },
             show_only=["templates/statsd/statsd-serviceaccount.yaml"],
         )
-        assert jmespath.search("automountServiceAccountToken", docs[0]) is True
+        assert jmespath.search("automountServiceAccountToken", docs[0]) is False
 
     def test_overridden_automount_service_account_token(self):
         docs = render_chart(

From ff63e7a85f4f0f74fc6e10e93af120cd73e86d73 Mon Sep 17 00:00:00 2001
From: gsingh935 <72580717+gsingh935@users.noreply.github.com>
Date: Thu, 19 Dec 2024 11:43:57 +0000
Subject: [PATCH 6/6] Update automountserviceaccount values.schema.json

---
 chart/values.schema.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/chart/values.schema.json b/chart/values.schema.json
index 52939b48c5c98..0ecb22f8ae5be 100644
--- a/chart/values.schema.json
+++ b/chart/values.schema.json
@@ -5594,7 +5594,7 @@
                         "automountServiceAccountToken": {
                             "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
                             "type": "boolean",
-                            "default": true
+                            "default": false
                         },
                         "create": {
                             "description": "Specifies whether a ServiceAccount should be created.",
@@ -6782,7 +6782,7 @@
                         "automountServiceAccountToken": {
                             "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
                             "type": "boolean",
-                            "default": true
+                            "default": false
                         },
                         "create": {
                             "description": "Specifies whether a ServiceAccount should be created.",
@@ -7397,7 +7397,7 @@
                         "automountServiceAccountToken": {
                             "description": "Specifies if ServiceAccount's API credentials should be mounted onto Pods",
                             "type": "boolean",
-                            "default": true
+                            "default": false
                         },
                         "create": {
                             "description": "Specifies whether a ServiceAccount should be created.",