[bitnami/multus-cni] fix: 🔒 Move service-account token auto-mount to pod declaration (#22439)

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
2026-03-16 06:47:30 +08:00 · 2024-01-19 11:54:52 +01:00
parent d8a354d43f
commit a6db220924
4 changed files with 14 additions and 9 deletions
--- a/bitnami/multus-cni/Chart.yaml
+++ b/bitnami/multus-cni/Chart.yaml
@@ -29,4 +29,4 @@ maintainers:
 name: multus-cni
 sources:
 - https://github.com/bitnami/charts/tree/main/bitnami/multus-cni
-version: 1.3.1
+version: 1.4.0
--- a/bitnami/multus-cni/README.md
+++ b/bitnami/multus-cni/README.md
@@ -98,6 +98,7 @@ The command removes all the Kubernetes components associated with the chart and
 | `priorityClassName`                            | Multus CNI pods' priorityClassName                                                                                    | `""`                         |
 | `schedulerName`                                | Name of the k8s scheduler (other than default)                                                                        | `""`                         |
 | `topologySpreadConstraints`                    | Topology Spread Constraints for pod assignment                                                                        | `[]`                         |
+| `automountServiceAccountToken`                 | Mount Service Account token in pod                                                                                    | `true`                       |
 | `hostAliases`                                  | Add deployment host aliases                                                                                           | `[]`                         |
 | `extraEnvVars`                                 | Extra environment variables                                                                                           | `[]`                         |
 | `extraEnvVarsCM`                               | ConfigMap containing extra env vars                                                                                   | `""`                         |
@@ -154,13 +155,13 @@ The command removes all the Kubernetes components associated with the chart and

 ### Other Parameters

-| Name                                          | Description                                                            | Value  |
-| --------------------------------------------- | ---------------------------------------------------------------------- | ------ |
-| `rbac.create`                                 | Specifies whether RBAC resources should be created                     | `true` |
-| `serviceAccount.create`                       | Enable creation of ServiceAccount for Multus CNI pod                   | `true` |
-| `serviceAccount.name`                         | The name of the ServiceAccount to use.                                 | `""`   |
-| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `true` |
-| `serviceAccount.annotations`                  | Additional custom annotations for the ServiceAccount                   | `{}`   |
+| Name                                          | Description                                                            | Value   |
+| --------------------------------------------- | ---------------------------------------------------------------------- | ------- |
+| `rbac.create`                                 | Specifies whether RBAC resources should be created                     | `true`  |
+| `serviceAccount.create`                       | Enable creation of ServiceAccount for Multus CNI pod                   | `true`  |
+| `serviceAccount.name`                         | The name of the ServiceAccount to use.                                 | `""`    |
+| `serviceAccount.automountServiceAccountToken` | Allows auto mount of ServiceAccountToken on the serviceAccount created | `false` |
+| `serviceAccount.annotations`                  | Additional custom annotations for the ServiceAccount                   | `{}`    |

 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

--- a/bitnami/multus-cni/templates/daemonset.yaml
+++ b/bitnami/multus-cni/templates/daemonset.yaml
@@ -53,6 +53,7 @@ spec:
      {{- if .Values.tolerations }}
      tolerations: {{- include "common.tplvalues.render" (dict "value" .Values.tolerations "context" $) | nindent 8 }}
      {{- end }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
      {{- if .Values.hostAliases }}
      hostAliases: {{- include "common.tplvalues.render" (dict "value" .Values.hostAliases "context" $) | nindent 8 }}
      {{- end }}
--- a/bitnami/multus-cni/values.yaml
+++ b/bitnami/multus-cni/values.yaml
@@ -135,6 +135,9 @@ schedulerName: ""
 ## The value is evaluated as a template
 ##
 topologySpreadConstraints: []
+## @param automountServiceAccountToken Mount Service Account token in pod
+##
+automountServiceAccountToken: true
 ## @param hostAliases [array] Add deployment host aliases
 ## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
 ##
@@ -335,7 +338,7 @@ serviceAccount:
  ## @param serviceAccount.automountServiceAccountToken Allows auto mount of ServiceAccountToken on the serviceAccount created
  ## Can be set to false if pods using this serviceAccount do not need to use K8s API
  ##
-  automountServiceAccountToken: true
+  automountServiceAccountToken: false
  ## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
  ##
  annotations: {}