public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-16 10:03:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

EIO-135: call out specific namespaces for default service accounts

Browse Source
This commit is contained in:
Nelson Roberts
2020-07-10 10:35:11 -07:00
committed by Catherine Luse
parent 66f181c29b
commit 549bef7fec
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rancher/v2.x/en/security/hardening-2.4/_index.md
+1 -1
View File
@@ -66,7 +66,7 @@ services:
#### Set `automountServiceAccountToken` to `false` for `default` service accounts
Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.
For each namespace the **default** service account must include this value:
For each namespace including **default** and **kube-system** on a standard RKE install the **default** service account must include this value:
```
automountServiceAccountToken: false