From fdf795de21c6bf070de4c930aedebc3b778d2c90 Mon Sep 17 00:00:00 2001 From: MoritzWeber Date: Wed, 10 Apr 2024 11:51:01 +0200 Subject: [PATCH] fix: Don't mount service account token to session containers The sessions don't need the service account token. For increased security, I remove it. --- backend/capellacollab/sessions/operators/k8s.py | 1 + 1 file changed, 1 insertion(+) diff --git a/backend/capellacollab/sessions/operators/k8s.py b/backend/capellacollab/sessions/operators/k8s.py index 22b2d8722..514a15153 100644 --- a/backend/capellacollab/sessions/operators/k8s.py +++ b/backend/capellacollab/sessions/operators/k8s.py @@ -521,6 +521,7 @@ def _create_deployment( labels={"app": name, "workload": "session"} ), spec=client.V1PodSpec( + automount_service_account_token=False, security_context=pod_security_context, containers=containers, volumes=k8s_volumes,