Skip to content

Commit

Permalink
Manually mount serviceAccount token (#13186)
Browse files Browse the repository at this point in the history 
Subject
Disables "automountServiceAccountToken", instead manually mounts it as a projected volume where necessary

Problem
By default, kubernetes enables "automountServiceAccountToken" for all pods.
This poses a security risk, as pods might get kube-api permissions unintentionally.
More specifically, this fails security compliance tests:
https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies
https://www.azadvertizer.net/azpolicyadvertizer/kubernetes_block-automount-token.html

Solution
Disable  "automountServiceAccountToken", create projected volume for the token, and mount it on relevant containers

Validation
Linkerd pods are able to access k8s API, work as expected (same as before)

Fixes #13108 
---------

Signed-off-by: Aran Shavit <Aranshavit@gmail.com>
  • Loading branch information
@Aransh
Aransh authored Oct 22, 2024
1 parent 54ac5dc commit 351cc68
Show file tree
Hide file tree
Showing 49 changed files with 2,755 additions and 56 deletions.
12 changes: 12 additions & 0 deletions charts/linkerd-control-plane/templates/destination.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -181,6 +181,7 @@ spec:
{{- include "linkerd.node-selector" . | nindent 6 }}
{{- $_ := set $tree "component" "destination" -}}
{{- include "linkerd.affinity" $tree | nindent 6 }}
automountServiceAccountToken: false
containers:
{{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }}
{{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
Expand Down Expand Up @@ -268,6 +269,10 @@ spec:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
- args:
- sp-validator
- -log-level={{.Values.controllerLogLevel}}
Expand Down Expand Up @@ -326,6 +331,9 @@ spec:
- mountPath: /var/run/linkerd/tls
name: sp-tls
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
- args:
- --admin-addr={{ if .Values.disableIPv6 }}0.0.0.0{{ else }}[::]{{ end }}:9990
- --control-plane-namespace={{.Release.Namespace}}
Expand Down Expand Up @@ -395,6 +403,9 @@ spec:
- mountPath: /var/run/linkerd/tls
name: policy-tls
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
initContainers:
{{ if .Values.cniEnabled -}}
- {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
Expand Down Expand Up @@ -426,6 +437,7 @@ spec:
- name: policy-tls
secret:
secretName: linkerd-policy-validator-k8s-tls
- {{- include "partials.volumes.manual-mount-service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
{{ if not .Values.cniEnabled -}}
- {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
{{ end -}}
Expand Down
7 changes: 7 additions & 0 deletions charts/linkerd-control-plane/templates/heartbeat.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,7 @@ spec:
type: RuntimeDefault
serviceAccountName: linkerd-heartbeat
restartPolicy: Never
automountServiceAccountToken: false
containers:
- name: heartbeat
image: {{.Values.controllerImage}}:{{.Values.controllerImageVersion | default .Values.linkerdVersion}}
Expand Down Expand Up @@ -91,4 +92,10 @@ spec:
allowPrivilegeEscalation: false
seccompProfile:
type: RuntimeDefault
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
volumes:
- {{- include "partials.volumes.manual-mount-service-account-token" . | indent 12 | trimPrefix (repeat 11 " ") }}
{{- end }}
5 changes: 5 additions & 0 deletions charts/linkerd-control-plane/templates/identity.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,7 @@ spec:
{{- include "linkerd.node-selector" . | nindent 6 }}
{{- $_ := set $tree "component" "identity" -}}
{{- include "linkerd.affinity" $tree | nindent 6 }}
automountServiceAccountToken: false
containers:
- args:
- identity
Expand Down Expand Up @@ -222,6 +223,9 @@ spec:
name: identity-issuer
- mountPath: /var/run/linkerd/identity/trust-roots/
name: trust-roots
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
{{- $_ := set $tree.Values.proxy "await" false }}
{{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
{{- $_ := set $tree.Values.proxy "podInboundPorts" "8080,9990" }}
Expand Down Expand Up @@ -262,6 +266,7 @@ spec:
- configMap:
name: linkerd-identity-trust-roots
name: trust-roots
- {{- include "partials.volumes.manual-mount-service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
{{ if not .Values.cniEnabled -}}
- {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
{{ end -}}
Expand Down
5 changes: 5 additions & 0 deletions charts/linkerd-control-plane/templates/proxy-injector.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ spec:
{{- include "linkerd.node-selector" . | nindent 6 }}
{{- $_ := set $tree "component" "proxy-injector" -}}
{{- include "linkerd.affinity" $tree | nindent 6 }}
automountServiceAccountToken: false
containers:
{{- $_ := set $tree.Values.proxy "await" $tree.Values.proxy.await }}
{{- $_ := set $tree.Values.proxy "loadTrustBundleFromConfigMap" true }}
Expand Down Expand Up @@ -139,6 +140,9 @@ spec:
- mountPath: /var/run/linkerd/tls
name: tls
readOnly: true
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: kube-api-access
readOnly: true
initContainers:
{{ if .Values.cniEnabled -}}
- {{- include "partials.network-validator" $tree | indent 8 | trimPrefix (repeat 7 " ") }}
Expand Down Expand Up @@ -173,6 +177,7 @@ spec:
- name: tls
secret:
secretName: linkerd-proxy-injector-k8s-tls
- {{- include "partials.volumes.manual-mount-service-account-token" . | indent 8 | trimPrefix (repeat 7 " ") }}
{{ if not .Values.cniEnabled -}}
- {{- include "partials.proxyInit.volumes.xtables" . | indent 8 | trimPrefix (repeat 7 " ") }}
{{ end -}}
Expand Down
21 changes: 21 additions & 0 deletions charts/partials/templates/_volumes.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,3 +18,24 @@ projected:
expirationSeconds: 86400 {{- /* # 24 hours */}}
audience: identity.l5d.io
{{- end -}}

{{- define "partials.volumes.manual-mount-service-account-token" -}}
name: kube-api-access
projected:
defaultMode: 420
sources:
- serviceAccountToken:
expirationSeconds: 3607
path: token
- configMap:
items:
- key: ca.crt
path: ca.crt
name: kube-root-ca.crt
- downwardAPI:
items:
- fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
path: namespace
{{- end -}}
97 changes: 97 additions & 0 deletions cli/cmd/testdata/install_controlplane_tracing_output.golden
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading

0 comments on commit 351cc68

Please sign in to comment.