Rollback privilege escalation

Signed-off-by: Max Cao <[email protected]>

config/rbac/role.yaml

@@ -45,13 +45,6 @@ rules:
   verbs:
   - list
   - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts/token
-  verbs:
-  - create
-  - get
 - apiGroups:
   - '*'
   resources:

controllers/keda/scaledobject_controller.go

@@ -58,7 +58,6 @@ import (
 // +kubebuilder:rbac:groups=autoscaling,resources=horizontalpodautoscalers,verbs=get;list;watch;update;patch;create;delete
 // +kubebuilder:rbac:groups="",resources=configmaps;configmaps/status,verbs=get;list;watch
 // +kubebuilder:rbac:groups="",resources=events,verbs=create;patch
-// +kubebuilder:rbac:groups="",resources=serviceaccounts/token,verbs=create;get
 // +kubebuilder:rbac:groups="",resources=pods;services;services;secrets;external,verbs=get;list;watch
 // +kubebuilder:rbac:groups="*",resources="*/scale",verbs=get;list;watch;update;patch
 // +kubebuilder:rbac:groups="",resources="serviceaccounts",verbs=list;watch

pkg/scaling/resolver/scale_resolvers.go

@@ -614,7 +614,7 @@ func resolveBoundServiceAccountToken(ctx context.Context, client client.Client,
 		return ""
 	}
 	var err error
-	expirySeconds := ptr.Int64(3600)
+	expirySeconds := ptr.Int64(3600) // default expiry is 1 hour
 	if expiry != "" {
 		duration, err := time.ParseDuration(expiry)
 		if err != nil {
@@ -651,7 +651,7 @@ func generateToken(ctx context.Context, serviceAccountName, namespace string, ex
 		log.Error(err, "error trying to create token for service account", "ServiceAccount.Name", serviceAccountName)
 		return ""
 	}
-	log.Info("Service account token created successfully", "ServiceAccount.Name", serviceAccountName, "Token", token.Status.Token)
+	log.Info("Service account token created successfully", "ServiceAccount.Name", serviceAccountName)
 	return token.Status.Token
 }