Docker container Security¶

As a best practice, each workload should run with its own unique service account. A service account is a Kubernetes resource that is used by Kubernetes entities such as pods to authenticate itself.

By having a unique service account per workload, RBAC policies can be applied for each service account to limit the resources that a service account can access.

The mq-spring-app workload is designed to run with a service account with the same name of mq-spring-app. When the helm chart gets deployed, the service account gets created.
See: https://github.com/cloud-native-toolkit/mq-spring-app/blob/master/chart/base/templates/serviceaccount.yaml

The service account manifest created is defined as follows:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: mq-spring-app
automountServiceAccountToken: false

The automountServiceAccountToken: false will ensure that the service account secret containing the authentication token does not get mounted. This ensures, that a malicious user who gets access to the pod, cannot get the service account token and use it for accessing the cluster.

The deployment resource is configured to run pods using the mq-spring-app service account. See: https://github.com/cloud-native-toolkit/mq-spring-app/blob/457fcd26564187397ed5de07cc1c37a1ead5faf8/chart/base/templates/deployment.yaml#L36

THe spec section of the deployment.yaml file has the following entry:

spec:
  serviceAccountName: mq-spring-app