easylinux/kube-prometheus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1591 from paulfantom/automountServiceAccountToken

Browse Source 
disable injecting unnecessary variables allowing access to k8s API
This commit is contained in:
Arthur Silva Sens
2022-02-05 18:28:33 +00:00
committed by GitHub
parent 0a76dc71d0 dd37165884
commit db61b3e18e
20 changed files with 86 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
docs/security.md
View File

@@ -9,3 +9,16 @@ While we aim for best practices in terms of security by default, due to the natu
* Host Port is set. [Kubernetes already sets a Host Port by default when Host Network is enabled.](https://github.com/kubernetes/kubernetes/blob/1945829906546caf867992669a0bfa588edf8be6/pkg/apis/core/v1/defaults.go#L402-L411). Since nothing can be done here, we configure it to our preference port.
* Host PID is set to `true`, since node-exporter requires direct access to the host namespace to gather statistics.
* Host Network is set to `true`, since node-exporter requires direct access to the host network to gather statistics.
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecar requires connection to kubernetes API server.
#### prometheus-adapter
* `automountServiceAccountToken` is set to `true` on Pod level as application requires connection to kubernetes API server.
#### blackbox-exporter
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecar requires connection to kubernetes API server.
#### kube-state-metrics
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecars requires connection to kubernetes API server.
#### prometheus-operator
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecars requires connection to kubernetes API server.