How to ensure all Pods do not mount ServiceAccount tokens by default in new Namespaces?

Solution Unverified - Updated -

Issue

When creating new Namespaces, there are a number of automatically generated ServiceAccounts that have permissions to access the APIServer.

When deploying workloads that should not require access to the APIServer, is there an option to stop Pods from automatically mounting ServiceAccount tokens for an entire Namespace?

Is the a configuration option to automatically set the default service account (and potentially other ServiceAccounts) with 'automountServiceAccountToken: false'?

Environment

  • OpenShift Container Platform
    • 4.10

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content