fix: disable service account token automount for user pods

gmolto · gmolto · commit b2818f1813bb · 2026-04-02T18:37:32.000+02:00
diff --git a/pkg/types/service.go b/pkg/types/service.go
@@ -351,8 +351,10 @@ func (service *Service) ToPodSpec(cfg *Config) (*v1.PodSpec, error) {
 	if err != nil {
 		return nil, err
 	}
+	disableServiceAccountTokenAutomount := false
 
 	podSpec := &v1.PodSpec{
+		AutomountServiceAccountToken: &disableServiceAccountTokenAutomount,
 		ImagePullSecrets: SetImagePullSecrets(service.ImagePullSecrets),
 		Containers: []v1.Container{
 			{
diff --git a/pkg/types/service_test.go b/pkg/types/service_test.go
@@ -354,6 +354,12 @@ func TestToPodSpec(t *testing.T) {
 				if podSpec.Containers[0].Command[0] != fmt.Sprintf("%s/%s", VolumePath, WatchdogName) {
 					t.Fatalf("expected command to be supervisor path %s, got %s", fmt.Sprintf("%s/%s", VolumePath, WatchdogName), podSpec.Containers[0].Command[0])
 				}
+				if podSpec.AutomountServiceAccountToken == nil {
+					t.Fatalf("expected automountServiceAccountToken to be set")
+				}
+				if *podSpec.AutomountServiceAccountToken {
+					t.Fatalf("expected automountServiceAccountToken to be false")
+				}
 
 			}
 		})

Original file line number	Diff line number	Diff line change
`@@ -351,8 +351,10 @@ func (service Service) ToPodSpec(cfg Config) (*v1.PodSpec, error) {`
`351`	`351`	`if err != nil {`
`352`	`352`	`return nil, err`
`353`	`353`	`}`
	`354`	`+ disableServiceAccountTokenAutomount := false`
`354`	`355`
`355`	`356`	`podSpec := &v1.PodSpec{`
	`357`	`+ AutomountServiceAccountToken: &disableServiceAccountTokenAutomount,`
`356`	`358`	`ImagePullSecrets: SetImagePullSecrets(service.ImagePullSecrets),`
`357`	`359`	`Containers: []v1.Container{`
`358`	`360`	`{`
Original file line number	Diff line number	Diff line change
`@@ -354,6 +354,12 @@ func TestToPodSpec(t *testing.T) {`
`354`	`354`	`if podSpec.Containers[0].Command[0] != fmt.Sprintf("%s/%s", VolumePath, WatchdogName) {`
`355`	`355`	`t.Fatalf("expected command to be supervisor path %s, got %s", fmt.Sprintf("%s/%s", VolumePath, WatchdogName), podSpec.Containers[0].Command[0])`
`356`	`356`	`}`
	`357`	`+ if podSpec.AutomountServiceAccountToken == nil {`
	`358`	`+ t.Fatalf("expected automountServiceAccountToken to be set")`
	`359`	`+ }`
	`360`	`+ if *podSpec.AutomountServiceAccountToken {`
	`361`	`+ t.Fatalf("expected automountServiceAccountToken to be false")`
	`362`	`+ }`
`357`	`363`
`358`	`364`	`}`
`359`	`365`	`})`