From 040f47f0e59eb631f4d91bb48a1e3dd9c98956ff Mon Sep 17 00:00:00 2001
From: Michal Schott <schott.michal@gmail.com>
Date: Thu, 16 Jan 2025 12:22:12 +0100
Subject: [PATCH] Restrict auto-mount of service account token in service
 account

---
 charts/karpenter/templates/deployment.yaml     | 1 +
 charts/karpenter/templates/serviceaccount.yaml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/charts/karpenter/templates/deployment.yaml b/charts/karpenter/templates/deployment.yaml
index 990ce486292e..0176c67cf474 100644
--- a/charts/karpenter/templates/deployment.yaml
+++ b/charts/karpenter/templates/deployment.yaml
@@ -35,6 +35,7 @@ spec:
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      automountServiceAccountToken: true
       serviceAccountName: {{ include "karpenter.serviceAccountName" . }}
       {{- with .Values.podSecurityContext }}
       securityContext:
diff --git a/charts/karpenter/templates/serviceaccount.yaml b/charts/karpenter/templates/serviceaccount.yaml
index 0141afc29ebf..f23be1d2d226 100644
--- a/charts/karpenter/templates/serviceaccount.yaml
+++ b/charts/karpenter/templates/serviceaccount.yaml
@@ -16,3 +16,4 @@ metadata:
   {{- end }}
   {{- end }}
 {{- end -}}
+automountServiceAccountToken: false