Description
Discussed in #3530
Originally posted by nickdk June 20, 2025
I'm experimenting with nginx-gateway-fabric on a cluster not managed by myself. This cluster has quite stringent security requirements enforced by gatekeeper that denies certain configuration on certain resources.
One of them is requiring that all ServiceAccount objects have explicitly set:
automountServiceAccountToken: false
The deployment is still allowed to explicitly set auto mounting of the service account to true:
spec:
automountServiceAccountToken: true
As far as I can tell this has the exact same functionality from the Pod's perspective.
Would it be feasible to do this on all service accounts in nginx-gateway-fabric? More specifically:
- In the Helm chart template or allow it to be controlled through helm values
- In the ServiceAccount of the data plane that is dynamically created by the control plane based on the Gateway spec
I can work around the first one by inlining the chart and changing the template but it's annoying when having to upgrade to newer chart versions so ideally it would be controllable by chart values or just be the default.
The second thing is more problematic since I don't seem to have a way to define this on the dynamically created data plan ServiceAccount and Deployment. I can only change annotations and labels through the Gateway infrastructure yaml section.
Thanks for you feedback.
====
As a user of NGF in an environment that restricts usage of the automountServiceAccountToken field
I want to configure that field in my Helm chart for NGF
So that I can use NGF in the restricted environment.
Acceptance
- The NGF Helm chart is updated to make both of the following fields configurable:
- The "automountServiceAccountToken" for all ServiceAccount objects
- The "automountServiceAccountToken" for all Deployment objects
Metadata
Metadata
Assignees
Labels
Type
Projects
Status