Docker container Security¶
As a best practice, each workload should run with its own unique service account. A service account is a Kubernetes resource that is used by Kubernetes entities such as pods to authenticate itself.
By having a unique service account per workload, RBAC policies can be applied for each service account to limit the resources that a service account can access.
mq-spring-app workload is designed to run with a service account with the same name of
mq-spring-app. When the helm chart gets deployed, the service account gets created.
The service account manifest created is defined as follows:
automountServiceAccountToken: false will ensure that the service account secret containing the authentication token does not get mounted. This ensures, that a malicious user who gets access to the pod, cannot get the service account token and use it for accessing the cluster.
The deployment resource is configured to run pods using the
mq-spring-app service account. See: https://github.com/cloud-native-toolkit/mq-spring-app/blob/457fcd26564187397ed5de07cc1c37a1ead5faf8/chart/base/templates/deployment.yaml#L36
spec section of the deployment.yaml file has the following entry: