Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove automountServiceAccountToken for main containers #7970

Open
alexec opened this issue Feb 22, 2022 · 7 comments
Open

Remove automountServiceAccountToken for main containers #7970

alexec opened this issue Feb 22, 2022 · 7 comments
Labels
area/executor type/feature Feature request type/security Security related

Comments

@alexec
Copy link
Contributor

alexec commented Feb 22, 2022

Summary

There's no reason to have this mounted for most tasks. In fact, main containers will get pod patch allowing the to change other pods within the namespace.

This might be easier than fixing #3961

Note, you now must explicitly mount the service account token, which has unpredicatable name.

Use Cases

Better default security.


Message from the maintainers:

Love this enhancement proposal? Give it a 👍. We prioritise the proposals with the most 👍.

@alexec
Copy link
Contributor Author

alexec commented Mar 9, 2022

Users can now configure this.

@sevetseh28
Copy link

sevetseh28 commented May 17, 2023

Hey @alexec I'm wondering how I can configure this since my SA contains permissions to S3 (for artifact management). It makes no sense for the main container to have access to this and it's a serious security issue when running untrusted code. Based on the fields documentation I tried changing the Workflow like this:

spec:
  automountServiceAccountToken: false
  executor:
     serviceAccountName: argo-workflow-executor

but the Workflow is constantly showing events such as
"Unable to attach or mount volumes: unmounted volumes=[exec-sa-token], unattached volumes=[tmp-dir-argo exec-sa-token argo-staging var-run-argo aws-iam-token]: timed out waiting for the condition"
"MountVolume.SetUp failed for volume "exec-sa-token" : secret "argo-workflow-executor.service-account-token" not found"

Is this the proper way to configure that?

thank you

@discordianfish
Copy link
Contributor

discordianfish commented Mar 23, 2024

I've ran into the same issue.. It seem that without setting automountServiceAccountToken or any executor config, it is using the default service account. But if I do:

      autoMountServiceAccountToken: false
      executor:
        serviceAccountName: default

I get the same error:

  Warning  FailedMount  2s (x5 over 9s)  kubelet            MountVolume.SetUp failed for volume "exec-sa-token" : secret "default.service-account-token" not found

@philBrown
Copy link
Contributor

Users can now configure this.

Hi @alexec, sorry to drag this up but it's not clear where or how this can be configured.

As far as I can tell, workflowpod.go adds the exec-sa-token volume mount for every container except wait when automountServiceAccountToken: false is set.

// Configure service account token volume for the main container when AutomountServiceAccountToken is disabled
if (woc.execWf.Spec.AutomountServiceAccountToken != nil && !*woc.execWf.Spec.AutomountServiceAccountToken) ||
	(tmpl.AutomountServiceAccountToken != nil && !*tmpl.AutomountServiceAccountToken) {
	for i, c := range pod.Spec.Containers {
		if c.Name == common.WaitContainerName {
			continue
		}
		c.VolumeMounts = append(c.VolumeMounts, apiv1.VolumeMount{
			Name:      common.ServiceAccountTokenVolumeName,
			MountPath: common.ServiceAccountTokenMountPath,
			ReadOnly:  true,
		})
		pod.Spec.Containers[i] = c
	}
}

@francozuca
Copy link

francozuca commented Jul 5, 2024

Hi, is there any update on this? I'm trying to avoid the main container to have any service account token since we don't need it.

We do have a Service Account called workflow-pod with the necessary permissions for the pod to update the Workflow status once the workflow is completed.

We are configuring the workflow as follows:

spec:
  automountServiceAccountToken: false
  executor:
     serviceAccountName: workflow-pod

And we get the error:

MountVolume.SetUp failed for volume "exec-sa-token" : secret "workflow-pod. service-account-token" not found

We have also tried without setting automountServiceAccountToken at all and it fails In the same way.

Is there anything else we can do or try different? Thanks!

@ephraimrothschild
Copy link

Running into the same issue. Is there any update on this?

@antitree
Copy link

antitree commented Dec 5, 2024

Ran into this same issue. For me, the issue was related to the long-lived serviceaccount token that Argo Workflow is trying to discover. In newer kubernetes clusters (1.24+) it needs to be declared as a secret (of type service account), not a serviceaccount type. See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-long-lived-api-token-for-a-serviceaccount

apiVersion: v1
kind: Secret
metadata:
  name: my-acct.service-account-token
  annotations:
    kubernetes.io/service-account.name: my-acct
type: kubernetes.io/service-account-token

This will make the serviceaccount discoverable and can be applied to the executor and then you can disable auto mounting the token.

(NOTE: I believe this unfortunately creates a new risk that the serviceaccount token will be long-lived so if an attacker is able to gain access to this token, it'll be more persistent)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/executor type/feature Feature request type/security Security related
Projects
None yet
Development

Successfully merging a pull request may close this issue.

7 participants