Merge pull request #1591 from paulfantom/automountServiceAccountToken

disable injecting unnecessary variables allowing access to k8s API
This commit is contained in:
Arthur Silva Sens 2022-02-05 18:28:33 +00:00 committed by GitHub
commit db61b3e18e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 86 additions and 1 deletions

View File

@ -17,6 +17,8 @@ JSONNETFMT_ARGS=-n 2 --max-blank-lines 2 --string-style s --comment-style s
MDOX_VALIDATE_CONFIG?=.mdox.validate.yaml MDOX_VALIDATE_CONFIG?=.mdox.validate.yaml
MD_FILES_TO_FORMAT=$(shell find docs developer-workspace examples experimental jsonnet manifests -name "*.md") $(shell ls *.md) MD_FILES_TO_FORMAT=$(shell find docs developer-workspace examples experimental jsonnet manifests -name "*.md") $(shell ls *.md)
KUBESCAPE_THRESHOLD=9
all: generate fmt test docs all: generate fmt test docs
.PHONY: clean .PHONY: clean
@ -66,7 +68,7 @@ kubeconform: crdschemas manifests $(KUBECONFORM_BIN)
.PHONY: kubescape .PHONY: kubescape
kubescape: $(KUBESCAPE_BIN) ## Runs a security analysis on generated manifests - failing if risk score is above threshold percentage 't' kubescape: $(KUBESCAPE_BIN) ## Runs a security analysis on generated manifests - failing if risk score is above threshold percentage 't'
$(KUBESCAPE_BIN) scan -s framework -t 17 nsa manifests/*.yaml --exceptions 'kubescape-exceptions.json' $(KUBESCAPE_BIN) scan -s framework -t $(KUBESCAPE_THRESHOLD) nsa manifests/*.yaml --exceptions 'kubescape-exceptions.json'
.PHONY: fmt .PHONY: fmt
fmt: $(JSONNETFMT_BIN) fmt: $(JSONNETFMT_BIN)

View File

@ -9,3 +9,16 @@ While we aim for best practices in terms of security by default, due to the natu
* Host Port is set. [Kubernetes already sets a Host Port by default when Host Network is enabled.](https://github.com/kubernetes/kubernetes/blob/1945829906546caf867992669a0bfa588edf8be6/pkg/apis/core/v1/defaults.go#L402-L411). Since nothing can be done here, we configure it to our preference port. * Host Port is set. [Kubernetes already sets a Host Port by default when Host Network is enabled.](https://github.com/kubernetes/kubernetes/blob/1945829906546caf867992669a0bfa588edf8be6/pkg/apis/core/v1/defaults.go#L402-L411). Since nothing can be done here, we configure it to our preference port.
* Host PID is set to `true`, since node-exporter requires direct access to the host namespace to gather statistics. * Host PID is set to `true`, since node-exporter requires direct access to the host namespace to gather statistics.
* Host Network is set to `true`, since node-exporter requires direct access to the host network to gather statistics. * Host Network is set to `true`, since node-exporter requires direct access to the host network to gather statistics.
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecar requires connection to kubernetes API server.
#### prometheus-adapter
* `automountServiceAccountToken` is set to `true` on Pod level as application requires connection to kubernetes API server.
#### blackbox-exporter
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecar requires connection to kubernetes API server.
#### kube-state-metrics
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecars requires connection to kubernetes API server.
#### prometheus-operator
* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecars requires connection to kubernetes API server.

View File

@ -121,6 +121,7 @@ function(params) {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'ServiceAccount', kind: 'ServiceAccount',
metadata: am._metadata, metadata: am._metadata,
automountServiceAccountToken: false,
}, },
service: { service: {

View File

@ -115,6 +115,7 @@ function(params) {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'ServiceAccount', kind: 'ServiceAccount',
metadata: bb._metadata, metadata: bb._metadata,
automountServiceAccountToken: false,
}, },
clusterRole: { clusterRole: {
@ -238,6 +239,7 @@ function(params) {
spec: { spec: {
containers: [blackboxExporter, reloader, kubeRbacProxy], containers: [blackboxExporter, reloader, kubeRbacProxy],
nodeSelector: { 'kubernetes.io/os': 'linux' }, nodeSelector: { 'kubernetes.io/os': 'linux' },
automountServiceAccountToken: true,
serviceAccountName: 'blackbox-exporter', serviceAccountName: 'blackbox-exporter',
volumes: [{ volumes: [{
name: 'config', name: 'config',

View File

@ -88,10 +88,12 @@ function(params)
// 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged. // 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
// 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged. // 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
// 'capabilities: { drop: ['ALL'] }' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/130 gets merged. // 'capabilities: { drop: ['ALL'] }' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/130 gets merged.
// FIXME(paulfantom): `automountServiceAccountToken` can be removed after porting to brancz/kuberentes-grafana
deployment+: { deployment+: {
spec+: { spec+: {
template+: { template+: {
spec+: { spec+: {
automountServiceAccountToken: false,
containers: std.map(function(c) c { containers: std.map(function(c) c {
securityContext+: { securityContext+: {
allowPrivilegeEscalation: false, allowPrivilegeEscalation: false,

View File

@ -129,6 +129,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
}, },
}, },
spec+: { spec+: {
automountServiceAccountToken: true,
containers: std.map(function(c) c { containers: std.map(function(c) c {
ports:: null, ports:: null,
livenessProbe:: null, livenessProbe:: null,

View File

@ -114,6 +114,7 @@ function(params) {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'ServiceAccount', kind: 'ServiceAccount',
metadata: ne._metadata, metadata: ne._metadata,
automountServiceAccountToken: false,
}, },
service: { service: {
@ -246,6 +247,7 @@ function(params) {
{ name: 'sys', hostPath: { path: '/sys' } }, { name: 'sys', hostPath: { path: '/sys' } },
{ name: 'root', hostPath: { path: '/' } }, { name: 'root', hostPath: { path: '/' } },
], ],
automountServiceAccountToken: true,
serviceAccountName: ne._config.name, serviceAccountName: ne._config.name,
securityContext: { securityContext: {
runAsUser: 65534, runAsUser: 65534,

View File

@ -253,6 +253,7 @@ function(params) {
spec: { spec: {
containers: [c], containers: [c],
serviceAccountName: $.serviceAccount.metadata.name, serviceAccountName: $.serviceAccount.metadata.name,
automountServiceAccountToken: true,
nodeSelector: { 'kubernetes.io/os': 'linux' }, nodeSelector: { 'kubernetes.io/os': 'linux' },
volumes: [ volumes: [
{ name: 'tmpfs', emptyDir: {} }, { name: 'tmpfs', emptyDir: {} },
@ -268,6 +269,7 @@ function(params) {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'ServiceAccount', kind: 'ServiceAccount',
metadata: pa._metadata, metadata: pa._metadata,
automountServiceAccountToken: false,
}, },
clusterRole: { clusterRole: {

View File

@ -131,6 +131,7 @@ function(params)
spec+: { spec+: {
template+: { template+: {
spec+: { spec+: {
automountServiceAccountToken: true,
containers: std.map(function(c) c { containers: std.map(function(c) c {
securityContext+: { securityContext+: {
capabilities: { drop: ['ALL'] }, capabilities: { drop: ['ALL'] },

View File

@ -98,6 +98,7 @@ function(params) {
apiVersion: 'v1', apiVersion: 'v1',
kind: 'ServiceAccount', kind: 'ServiceAccount',
metadata: p._metadata, metadata: p._metadata,
automountServiceAccountToken: false,
}, },
service: { service: {

View File

@ -1,4 +1,53 @@
[ [
{
"name": "exclude-automountServiceAccountToken-checks",
"policyType": "postureExceptionPolicy",
"actions": [
"alertOnly"
],
"resources": [
{
"designatorType": "Attributes",
"attributes": {
"kind": "DaemonSet",
"name": "node-exporter"
}
},
{
"designatorType": "Attributes",
"attributes": {
"kind": "Deployment",
"name": "blackbox-exporter"
}
},
{
"designatorType": "Attributes",
"attributes": {
"kind": "Deployment",
"name": "kube-state-metrics"
}
},
{
"designatorType": "Attributes",
"attributes": {
"kind": "Deployment",
"name": "prometheus-adapter"
}
},
{
"designatorType": "Attributes",
"attributes": {
"kind": "Deployment",
"name": "prometheus-operator"
}
}
],
"posturePolicies": [
{
"controlName": "Automatic mapping of service account"
}
]
},
{ {
"name": "exclude-node-exporter-host-access-checks", "name": "exclude-node-exporter-host-access-checks",
"policyType": "postureExceptionPolicy", "policyType": "postureExceptionPolicy",

View File

@ -1,4 +1,5 @@
apiVersion: v1 apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
labels: labels:

View File

@ -25,6 +25,7 @@ spec:
app.kubernetes.io/part-of: kube-prometheus app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 0.19.0 app.kubernetes.io/version: 0.19.0
spec: spec:
automountServiceAccountToken: true
containers: containers:
- args: - args:
- --config.file=/etc/blackbox_exporter/config.yml - --config.file=/etc/blackbox_exporter/config.yml

View File

@ -1,4 +1,5 @@
apiVersion: v1 apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
labels: labels:

View File

@ -27,6 +27,7 @@ spec:
app.kubernetes.io/part-of: kube-prometheus app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 8.3.4 app.kubernetes.io/version: 8.3.4
spec: spec:
automountServiceAccountToken: false
containers: containers:
- env: [] - env: []
image: grafana/grafana:8.3.4 image: grafana/grafana:8.3.4

View File

@ -24,6 +24,7 @@ spec:
app.kubernetes.io/part-of: kube-prometheus app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 1.3.1 app.kubernetes.io/version: 1.3.1
spec: spec:
automountServiceAccountToken: true
containers: containers:
- args: - args:
- --web.listen-address=127.0.0.1:9100 - --web.listen-address=127.0.0.1:9100

View File

@ -1,4 +1,5 @@
apiVersion: v1 apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
labels: labels:

View File

@ -1,4 +1,5 @@
apiVersion: v1 apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
labels: labels:

View File

@ -27,6 +27,7 @@ spec:
app.kubernetes.io/part-of: kube-prometheus app.kubernetes.io/part-of: kube-prometheus
app.kubernetes.io/version: 0.9.1 app.kubernetes.io/version: 0.9.1
spec: spec:
automountServiceAccountToken: true
containers: containers:
- args: - args:
- --cert-dir=/var/run/serving-cert - --cert-dir=/var/run/serving-cert

View File

@ -1,4 +1,5 @@
apiVersion: v1 apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount kind: ServiceAccount
metadata: metadata:
labels: labels: