Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate the automatic mapping of service accounts #1589

Closed
philipgough opened this issue Jan 19, 2022 · 3 comments
Closed

Investigate the automatic mapping of service accounts #1589

philipgough opened this issue Jan 19, 2022 · 3 comments
Assignees
@paulfantom
Labels
help wanted kind/enhancement

Comments

@philipgough
Copy link
Contributor

philipgough commented Jan 19, 2022
edited
Loading

What is missing?

In #1584 we introduced security scanning of our manifests via kubescape.

The output of that scan shows following resources have enabled automatic mapping of their service account tokens

  • ServiceAccount - alertmanager-main
  • ServiceAccount - blackbox-exporter
  • ServiceAccount - grafana
  • ServiceAccount - kube-state-metrics
  • ServiceAccount - node-exporter
  • ServiceAccount - prometheus-k8s
  • ServiceAccount - prometheus-adapter
  • ServiceAccount - prometheus-operator
  • Deployment - blackbox-exporter
  • Deployment - grafana
  • Deployment - kube-state-metrics
  • Deployment - prometheus-adapter
  • Deployment - prometheus-operator
  • DaemonSet - node-exporter

We should investigate in all listed cases if we can disable this default setting, enabling it only for PODS that need them. If we can not make the change, we should document why and add an exception to our configuration.

After we make the changes, we should determine the new risk score and adjust the threshold accordingly

Why do we need it?

Description: Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.

See https://hub.armo.cloud/docs/c-0034

cc @ArthurSens
@paulfantom
Copy link
Member

paulfantom commented Jan 21, 2022
edited by ArthurSens
Loading

I completely forgot to finish this after the investigation I did in my homelab. 🤦 Sorry.

The result was that after setting automountServiceAccountToken to false in all ServiceAccount objects only the following components needed to have this reenabled on pod level:

  • prometheus
  • prometheus-operator
  • kube-state-metrics
  • prometheus-adapter

Those 4 components need environment variables set with automountServiceAccountToken: true to connect to kubernetes API server.

Bear in mind that to do this properly we need to modify code in 4 different repositories (specific files listed below):

This was referenced Jan 21, 2022
Merged
Merged
Merged
Merged
@paulfantom paulfantom self-assigned this Jan 21, 2022
@philipgough
Copy link
Contributor Author

Closed via #1591

@paulfantom paulfantom mentioned this issue Jul 4, 2022
Closed
@berndonline berndonline mentioned this issue Jul 10, 2022
Merged
5 tasks
@werdnum
Copy link

werdnum commented Jul 17, 2022

See #1808 - this change has broken the scraper in my installation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paulfantom paulfantom

Labels
help wanted kind/enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@werdnum @paulfantom @philipgough