Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(authentik): add option to set serviceaccount #253

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(authentik): add option to set serviceaccount #253

wants to merge 1 commit into from

Conversation

wrenix
Copy link
Contributor

@wrenix wrenix commented Mar 13, 2024
edited

I like to follow security guide lines, which say nobody should use the "default" serviceAccount of an namespace ...

so i like to create my own serviceAccount and assign it with this helm-chart.

PS: maybe it is also needed for #146

@wrenix wrenix requested a review from a team as a code owner March 13, 2024 18:34
rissson
rissson requested changes Mar 14, 2024
View reviewed changes
charts/authentik/templates/worker/deployment.yaml Outdated Show resolved Hide resolved
charts/authentik/Chart.yaml
@@ -1,6 +1,6 @@
---
apiVersion: v2
version: 2024.2.2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll let @BeryJu comment on whether we should increase the chart version.

BeryJu
BeryJu reviewed Mar 14, 2024
View reviewed changes
Copy link
Member

@BeryJu BeryJu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think for the server container we could just not mount a service account at all since it doesn't need one. Although I suppose that would only change the defaults as there might still be usecases where someone might want to mount a service account themselves

@wrenix
Copy link
Contributor Author

wrenix commented Apr 6, 2024
edited

That is not BSI conform to use default serviceAccount, take a look in:
APP.4.4.A9 Nutzung von Kubernetes Service-Accounts

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/IT-GS-Kompendium_Einzel_PDFs_2022/06_APP_Anwendungen/APP_4_4_Kubernetes_Edition_2022.pdf?__blob=publicationFile&v=3

if you prefer to stop using the mount of the serviceaccount, it will break additional feature which user of this helm-chart could needed (e.g. #146).

@rissson
fix(authentik): add option to set serviceaccount
6d30ff4 
Co-authored-by: Marc 'risson' Schmitt <marc.schmitt@risson.space>
Signed-off-by: WrenIX <133280015+wrenix@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@BeryJu BeryJu BeryJu left review comments

@rissson rissson rissson requested changes

Requested changes must be addressed to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wrenix @BeryJu @rissson