Skip to content

Add Security considerations section to access-api-from-pod task#55706

Open
singhvishalkr wants to merge 1 commit intokubernetes:mainfrom
singhvishalkr:55660-add-pod-api-security-considerations
Open

Add Security considerations section to access-api-from-pod task#55706
singhvishalkr wants to merge 1 commit intokubernetes:mainfrom
singhvishalkr:55660-add-pod-api-security-considerations

Conversation

@singhvishalkr
Copy link
Copy Markdown

@singhvishalkr singhvishalkr commented May 7, 2026

The page describes how a Pod authenticates to the API server (ServiceAccount token, in-cluster CA, kubectl proxy, raw curl) but stops short of the operational hygiene that goes with that access. Issue #55660 asks for a short security-considerations block tied to the same flow.

This change appends a ## Security considerations section at the end of the existing API-access steps. It covers four things, each with a concrete in-tree link:

  • prefer a dedicated ServiceAccount per workload over the namespace default
  • scope permissions through RBAC, with Role/RoleBinding favored over ClusterRole when one namespace is enough
  • set automountServiceAccountToken: false on Pods that do not need API access at all
  • re-evaluate whether direct API access is still the right design (controller, webhook, or out-of-cluster reader as alternatives)

Single file, +25 lines, no behavioural code touched.

Closes #55660

NONE

/sig docs
/kind documentation
/language en

@k8s-ci-robot k8s-ci-robot added sig/docs Categorizes an issue or PR as relevant to SIG Docs. kind/documentation Categorizes issue or PR as related to documentation. language/en Issues or PRs related to English language labels May 7, 2026
@k8s-ci-robot
Copy link
Copy Markdown
Contributor

k8s-ci-robot commented May 7, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign sayanchowdhury for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels May 7, 2026
@netlify
Copy link
Copy Markdown

netlify Bot commented May 7, 2026

Pull request preview available for checking

Built without sensitive environment variables

Name Link
🔨 Latest commit 3a8aa85
🔍 Latest deploy log https://app.netlify.com/projects/kubernetes-io-main-staging/deploys/69fcc5774a8dcf0008c93dbc
😎 Deploy Preview https://deploy-preview-55706--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@singhvishalkr
Copy link
Copy Markdown
Author

singhvishalkr commented May 7, 2026

/assign @sayanchowdhury

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nate-double-u nate-double-u Awaiting requested review from nate-double-u

@reylejano reylejano Awaiting requested review from reylejano

Assignees

@sayanchowdhury sayanchowdhury

Labels

cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/documentation Categorizes issue or PR as related to documentation. language/en Issues or PRs related to English language sig/docs Categorizes an issue or PR as relevant to SIG Docs. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add security considerations for accessing the Kubernetes API from a Pod

3 participants

@singhvishalkr @k8s-ci-robot @sayanchowdhury