-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove automountServiceAccountToken
for main containers
#7970
Comments
Users can now configure this. |
Hey @alexec I'm wondering how I can configure this since my SA contains permissions to S3 (for artifact management). It makes no sense for the main container to have access to this and it's a serious security issue when running untrusted code. Based on the fields documentation I tried changing the Workflow like this: spec:
automountServiceAccountToken: false
executor:
serviceAccountName: argo-workflow-executor but the Workflow is constantly showing events such as Is this the proper way to configure that? thank you |
I've ran into the same issue.. It seem that without setting autoMountServiceAccountToken: false
executor:
serviceAccountName: default I get the same error:
|
Hi @alexec, sorry to drag this up but it's not clear where or how this can be configured. As far as I can tell, // Configure service account token volume for the main container when AutomountServiceAccountToken is disabled
if (woc.execWf.Spec.AutomountServiceAccountToken != nil && !*woc.execWf.Spec.AutomountServiceAccountToken) ||
(tmpl.AutomountServiceAccountToken != nil && !*tmpl.AutomountServiceAccountToken) {
for i, c := range pod.Spec.Containers {
if c.Name == common.WaitContainerName {
continue
}
c.VolumeMounts = append(c.VolumeMounts, apiv1.VolumeMount{
Name: common.ServiceAccountTokenVolumeName,
MountPath: common.ServiceAccountTokenMountPath,
ReadOnly: true,
})
pod.Spec.Containers[i] = c
}
} |
Hi, is there any update on this? I'm trying to avoid the main container to have any service account token since we don't need it. We do have a Service Account called We are configuring the workflow as follows: spec:
automountServiceAccountToken: false
executor:
serviceAccountName: workflow-pod And we get the error:
We have also tried without setting Is there anything else we can do or try different? Thanks! |
Running into the same issue. Is there any update on this? |
Ran into this same issue. For me, the issue was related to the long-lived serviceaccount token that Argo Workflow is trying to discover. In newer kubernetes clusters (1.24+) it needs to be declared as a secret (of type service account), not a serviceaccount type. See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-long-lived-api-token-for-a-serviceaccount apiVersion: v1
kind: Secret
metadata:
name: my-acct.service-account-token
annotations:
kubernetes.io/service-account.name: my-acct
type: kubernetes.io/service-account-token This will make the serviceaccount discoverable and can be applied to the executor and then you can disable auto mounting the token. (NOTE: I believe this unfortunately creates a new risk that the serviceaccount token will be long-lived so if an attacker is able to gain access to this token, it'll be more persistent) |
Summary
There's no reason to have this mounted for most tasks. In fact, main containers will get
pod patch
allowing the to change other pods within the namespace.This might be easier than fixing #3961
Note, you now must explicitly mount the service account token, which has unpredicatable name.
Use Cases
Better default security.
Message from the maintainers:
Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.
The text was updated successfully, but these errors were encountered: