docs: add security considerations regarding automountServiceAccountToken
This commit is contained in:
Paweł Krupa (paulfantom)
@@ -9,3 +9,16 @@ While we aim for best practices in terms of security by default, due to the natu
|
|||||||
* Host Port is set. https://hub.armo.cloud/docs/c-0044 is not relevant since node-exporter is considered as a core platform component running as a DaemonSet.
|
* Host Port is set. https://hub.armo.cloud/docs/c-0044 is not relevant since node-exporter is considered as a core platform component running as a DaemonSet.
|
||||||
* Host PID is set to `true`, since node-exporter requires direct access to the host namespace to gather statistics.
|
* Host PID is set to `true`, since node-exporter requires direct access to the host namespace to gather statistics.
|
||||||
* Host Network is set to `true`, since node-exporter requires direct access to the host network to gather statistics.
|
* Host Network is set to `true`, since node-exporter requires direct access to the host network to gather statistics.
|
||||||
|
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecar requires connection to kubernetes API server.
|
||||||
|
|
||||||
|
#### prometheus-adapter
|
||||||
|
* `automountServiceAccountToken` is set to `true` on Pod level as application requires connection to kubernetes API server.
|
||||||
|
|
||||||
|
#### blackbox-exporter
|
||||||
|
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecar requires connection to kubernetes API server.
|
||||||
|
|
||||||
|
#### kube-state-metrics
|
||||||
|
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecars requires connection to kubernetes API server.
|
||||||
|
|
||||||
|
#### prometheus-operator
|
||||||
|
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecars requires connection to kubernetes API server.
|
||||||
|
|||||||
@@ -1,4 +1,53 @@
|
|||||||
[
|
[
|
||||||
|
{
|
||||||
|
"name": "exclude-automountServiceAccountToken-checks",
|
||||||
|
"policyType": "postureExceptionPolicy",
|
||||||
|
"actions": [
|
||||||
|
"alertOnly"
|
||||||
|
],
|
||||||
|
"resources": [
|
||||||
|
{
|
||||||
|
"designatorType": "Attributes",
|
||||||
|
"attributes": {
|
||||||
|
"kind": "DaemonSet",
|
||||||
|
"name": "node-exporter"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"designatorType": "Attributes",
|
||||||
|
"attributes": {
|
||||||
|
"kind": "Deployment",
|
||||||
|
"name": "blackbox-exporter"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"designatorType": "Attributes",
|
||||||
|
"attributes": {
|
||||||
|
"kind": "Deployment",
|
||||||
|
"name": "kube-state-metrics"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"designatorType": "Attributes",
|
||||||
|
"attributes": {
|
||||||
|
"kind": "Deployment",
|
||||||
|
"name": "prometheus-adapter"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"designatorType": "Attributes",
|
||||||
|
"attributes": {
|
||||||
|
"kind": "Deployment",
|
||||||
|
"name": "prometheus-operator"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"posturePolicies": [
|
||||||
|
{
|
||||||
|
"controlName": "Automatic mapping of service account"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"name": "exclude-node-exporter-host-access-checks",
|
"name": "exclude-node-exporter-host-access-checks",
|
||||||
"policyType": "postureExceptionPolicy",
|
"policyType": "postureExceptionPolicy",
|
||||||
|
|||||||
Reference in New Issue
Block a user