Allow setting value of 'automountServiceAccountToken' in pod helm template traefik v2

[hAislt]

Welcome!

• [X] Yes, I've searched similar issues on GitHub and didn't find any.
• [X] Yes, I've searched similar issues on the Traefik community forum and didn't find any.

What did you expect to see?

Version: v26.1.0 Traefik chart doesn't have an option to set a value to 'automountServiceAccountToken' on pod level. This makes a traefik deployment on an AKS with policies not compliant, the pod will be marked as a non-compliant resource. Affected policy: 'Kubernetes clusters should disable auto-mounting API credentials'

To reproduce: kubectl exec traefik-pod cat /var/run/secrets/kubernetes.io/serviceaccount/token

This outputs the secret token. Manually setting this property on the service account results in traefik not functioning properly and pod settings takes precedence.

Expected reflection of an example pod:

apiVersion: v1 kind: Pod metadata: name: traefik spec: serviceAccountName: traefik automountServiceAccountToken: false

Expectation of policy: traefik pod is shown as compliant / not shown as non-compliant.

[mloiseleur]

Hello @hAislt,

Thanks for your interest in Traefik. Traefik, as a dynamic entrypoint of kubernetes cluster, needs to read resources like Ingress, IngressRoute or HTTPRoute.

I don't see how Traefik will be able to read its dynamic configuration without this token. Anyway, you're welcome to open a PR if you need it.

[hAislt]

Hello @mloiseleur,

thanks for your response that was helpful, when I manually set this property in the used service account, resources can't be read. I would have to implement a mechanism to manually mount the token and then handle the rotation/expiration of this token. I think this is not a proper solution.

Let me discuss this topic, then I will either do a PR or just close it. Thank you!

[mloiseleur]

Since there is nothing to do on the Chart, I close this issue. Feel free to re-open if I missed something.