Merge pull request #1948 from coreos-inc/builer-service-account

Add emptyDir volume to builder pods to mask secrets

buildman/manager/executor.py

@@ -376,6 +376,22 @@ class KubernetesExecutor(BuilderExecutor):
             },
           },
           'spec': {
+            # This volume is a hack to mask the token for the namespace's
+            # default service account, which is placed in a file mounted under
+            # `/var/run/secrets/kubernetes.io/serviceaccount` in all pods.
+            # There's currently no other way to just disable the service
+            # account at either the pod or namespace level.
+            #
+            #   https://github.com/kubernetes/kubernetes/issues/16779
+            #
+            'volumes': [
+              {
+                'name': 'secrets-mask',
+                'emptyDir': {
+                  'medium': 'Memory',
+                },
+              },
+            ],
             'containers': [
               {
                 'name': 'builder',
@@ -390,6 +406,12 @@ class KubernetesExecutor(BuilderExecutor):
                 'resources': {
                   'requests': container_requests,
                 },
+                'volumeMounts': [
+                  {
+                    'name': 'secrets-mask',
+                    'mountPath': '/var/run/secrets/kubernetes.io/serviceaccount',
+                  },
+                ],
               },
             ],
             'imagePullSecrets': [{'name': 'builder'}],