Merge pull request #1591 from paulfantom/automountServiceAccountToken
disable injecting unnecessary variables allowing access to k8s API
This commit is contained in:
Arthur Silva Sens
GitHub
4
Makefile
4
Makefile
@@ -17,6 +17,8 @@ JSONNETFMT_ARGS=-n 2 --max-blank-lines 2 --string-style s --comment-style s
|
||||
MDOX_VALIDATE_CONFIG?=.mdox.validate.yaml
|
||||
MD_FILES_TO_FORMAT=$(shell find docs developer-workspace examples experimental jsonnet manifests -name "*.md") $(shell ls *.md)
|
||||
|
||||
KUBESCAPE_THRESHOLD=9
|
||||
|
||||
all: generate fmt test docs
|
||||
|
||||
.PHONY: clean
|
||||
@@ -66,7 +68,7 @@ kubeconform: crdschemas manifests $(KUBECONFORM_BIN)
|
||||
|
||||
.PHONY: kubescape
|
||||
kubescape: $(KUBESCAPE_BIN) ## Runs a security analysis on generated manifests - failing if risk score is above threshold percentage 't'
|
||||
$(KUBESCAPE_BIN) scan -s framework -t 17 nsa manifests/*.yaml --exceptions 'kubescape-exceptions.json'
|
||||
$(KUBESCAPE_BIN) scan -s framework -t $(KUBESCAPE_THRESHOLD) nsa manifests/*.yaml --exceptions 'kubescape-exceptions.json'
|
||||
|
||||
.PHONY: fmt
|
||||
fmt: $(JSONNETFMT_BIN)
|
||||
|
||||
@@ -9,3 +9,16 @@ While we aim for best practices in terms of security by default, due to the natu
|
||||
* Host Port is set. [Kubernetes already sets a Host Port by default when Host Network is enabled.](https://github.com/kubernetes/kubernetes/blob/1945829906546caf867992669a0bfa588edf8be6/pkg/apis/core/v1/defaults.go#L402-L411). Since nothing can be done here, we configure it to our preference port.
|
||||
* Host PID is set to `true`, since node-exporter requires direct access to the host namespace to gather statistics.
|
||||
* Host Network is set to `true`, since node-exporter requires direct access to the host network to gather statistics.
|
||||
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecar requires connection to kubernetes API server.
|
||||
|
||||
#### prometheus-adapter
|
||||
* `automountServiceAccountToken` is set to `true` on Pod level as application requires connection to kubernetes API server.
|
||||
|
||||
#### blackbox-exporter
|
||||
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecar requires connection to kubernetes API server.
|
||||
|
||||
#### kube-state-metrics
|
||||
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecars requires connection to kubernetes API server.
|
||||
|
||||
#### prometheus-operator
|
||||
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecars requires connection to kubernetes API server.
|
||||
|
||||
@@ -121,6 +121,7 @@ function(params) {
|
||||
apiVersion: 'v1',
|
||||
kind: 'ServiceAccount',
|
||||
metadata: am._metadata,
|
||||
automountServiceAccountToken: false,
|
||||
},
|
||||
|
||||
service: {
|
||||
|
||||
@@ -115,6 +115,7 @@ function(params) {
|
||||
apiVersion: 'v1',
|
||||
kind: 'ServiceAccount',
|
||||
metadata: bb._metadata,
|
||||
automountServiceAccountToken: false,
|
||||
},
|
||||
|
||||
clusterRole: {
|
||||
@@ -238,6 +239,7 @@ function(params) {
|
||||
spec: {
|
||||
containers: [blackboxExporter, reloader, kubeRbacProxy],
|
||||
nodeSelector: { 'kubernetes.io/os': 'linux' },
|
||||
automountServiceAccountToken: true,
|
||||
serviceAccountName: 'blackbox-exporter',
|
||||
volumes: [{
|
||||
name: 'config',
|
||||
|
||||
@@ -88,10 +88,12 @@ function(params)
|
||||
// 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
|
||||
// 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
|
||||
// 'capabilities: { drop: ['ALL'] }' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/130 gets merged.
|
||||
// FIXME(paulfantom): `automountServiceAccountToken` can be removed after porting to brancz/kuberentes-grafana
|
||||
deployment+: {
|
||||
spec+: {
|
||||
template+: {
|
||||
spec+: {
|
||||
automountServiceAccountToken: false,
|
||||
containers: std.map(function(c) c {
|
||||
securityContext+: {
|
||||
allowPrivilegeEscalation: false,
|
||||
|
||||
@@ -129,6 +129,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
|
||||
},
|
||||
},
|
||||
spec+: {
|
||||
automountServiceAccountToken: true,
|
||||
containers: std.map(function(c) c {
|
||||
ports:: null,
|
||||
livenessProbe:: null,
|
||||
|
||||
@@ -114,6 +114,7 @@ function(params) {
|
||||
apiVersion: 'v1',
|
||||
kind: 'ServiceAccount',
|
||||
metadata: ne._metadata,
|
||||
automountServiceAccountToken: false,
|
||||
},
|
||||
|
||||
service: {
|
||||
@@ -246,6 +247,7 @@ function(params) {
|
||||
{ name: 'sys', hostPath: { path: '/sys' } },
|
||||
{ name: 'root', hostPath: { path: '/' } },
|
||||
],
|
||||
automountServiceAccountToken: true,
|
||||
serviceAccountName: ne._config.name,
|
||||
securityContext: {
|
||||
runAsUser: 65534,
|
||||
|
||||
@@ -253,6 +253,7 @@ function(params) {
|
||||
spec: {
|
||||
containers: [c],
|
||||
serviceAccountName: $.serviceAccount.metadata.name,
|
||||
automountServiceAccountToken: true,
|
||||
nodeSelector: { 'kubernetes.io/os': 'linux' },
|
||||
volumes: [
|
||||
{ name: 'tmpfs', emptyDir: {} },
|
||||
@@ -268,6 +269,7 @@ function(params) {
|
||||
apiVersion: 'v1',
|
||||
kind: 'ServiceAccount',
|
||||
metadata: pa._metadata,
|
||||
automountServiceAccountToken: false,
|
||||
},
|
||||
|
||||
clusterRole: {
|
||||
|
||||
@@ -131,6 +131,7 @@ function(params)
|
||||
spec+: {
|
||||
template+: {
|
||||
spec+: {
|
||||
automountServiceAccountToken: true,
|
||||
containers: std.map(function(c) c {
|
||||
securityContext+: {
|
||||
capabilities: { drop: ['ALL'] },
|
||||
|
||||
@@ -98,6 +98,7 @@ function(params) {
|
||||
apiVersion: 'v1',
|
||||
kind: 'ServiceAccount',
|
||||
metadata: p._metadata,
|
||||
automountServiceAccountToken: false,
|
||||
},
|
||||
|
||||
service: {
|
||||
|
||||
@@ -1,4 +1,53 @@
|
||||
[
|
||||
{
|
||||
"name": "exclude-automountServiceAccountToken-checks",
|
||||
"policyType": "postureExceptionPolicy",
|
||||
"actions": [
|
||||
"alertOnly"
|
||||
],
|
||||
"resources": [
|
||||
{
|
||||
"designatorType": "Attributes",
|
||||
"attributes": {
|
||||
"kind": "DaemonSet",
|
||||
"name": "node-exporter"
|
||||
}
|
||||
},
|
||||
{
|
||||
"designatorType": "Attributes",
|
||||
"attributes": {
|
||||
"kind": "Deployment",
|
||||
"name": "blackbox-exporter"
|
||||
}
|
||||
},
|
||||
{
|
||||
"designatorType": "Attributes",
|
||||
"attributes": {
|
||||
"kind": "Deployment",
|
||||
"name": "kube-state-metrics"
|
||||
}
|
||||
},
|
||||
{
|
||||
"designatorType": "Attributes",
|
||||
"attributes": {
|
||||
"kind": "Deployment",
|
||||
"name": "prometheus-adapter"
|
||||
}
|
||||
},
|
||||
{
|
||||
"designatorType": "Attributes",
|
||||
"attributes": {
|
||||
"kind": "Deployment",
|
||||
"name": "prometheus-operator"
|
||||
}
|
||||
}
|
||||
],
|
||||
"posturePolicies": [
|
||||
{
|
||||
"controlName": "Automatic mapping of service account"
|
||||
}
|
||||
]
|
||||
},
|
||||
{
|
||||
"name": "exclude-node-exporter-host-access-checks",
|
||||
"policyType": "postureExceptionPolicy",
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
apiVersion: v1
|
||||
automountServiceAccountToken: false
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
|
||||
@@ -25,6 +25,7 @@ spec:
|
||||
app.kubernetes.io/part-of: kube-prometheus
|
||||
app.kubernetes.io/version: 0.19.0
|
||||
spec:
|
||||
automountServiceAccountToken: true
|
||||
containers:
|
||||
- args:
|
||||
- --config.file=/etc/blackbox_exporter/config.yml
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
apiVersion: v1
|
||||
automountServiceAccountToken: false
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
|
||||
@@ -27,6 +27,7 @@ spec:
|
||||
app.kubernetes.io/part-of: kube-prometheus
|
||||
app.kubernetes.io/version: 8.3.4
|
||||
spec:
|
||||
automountServiceAccountToken: false
|
||||
containers:
|
||||
- env: []
|
||||
image: grafana/grafana:8.3.4
|
||||
|
||||
@@ -24,6 +24,7 @@ spec:
|
||||
app.kubernetes.io/part-of: kube-prometheus
|
||||
app.kubernetes.io/version: 1.3.1
|
||||
spec:
|
||||
automountServiceAccountToken: true
|
||||
containers:
|
||||
- args:
|
||||
- --web.listen-address=127.0.0.1:9100
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
apiVersion: v1
|
||||
automountServiceAccountToken: false
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
apiVersion: v1
|
||||
automountServiceAccountToken: false
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
|
||||
@@ -27,6 +27,7 @@ spec:
|
||||
app.kubernetes.io/part-of: kube-prometheus
|
||||
app.kubernetes.io/version: 0.9.1
|
||||
spec:
|
||||
automountServiceAccountToken: true
|
||||
containers:
|
||||
- args:
|
||||
- --cert-dir=/var/run/serving-cert
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
apiVersion: v1
|
||||
automountServiceAccountToken: false
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
labels:
|
||||
|
||||
Reference in New Issue
Block a user