Skip to content

Vault Kubernetes auth reads service account token files without size bounds #7783

Description

@zroubalik

Summary
Vault Kubernetes authentication reads the configured projected service account token path with an unbounded file read. A large file at that path can cause excessive memory use in the operator before token validation runs.

Expected fix
Reject non-regular files and enforce a small maximum read size before validating the service account token.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

Status
Ready To Ship

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions