Merge pull request #2839 from zalando-incubator/bound-service-account…

…-tokens Enable rotation of service account tokens
zalando-incubator · Jan 17, 2020 · 1717c00 · 1717c00
2 parents 4a2d806 + 0940b38
commit 1717c00
Show file tree

Hide file tree

Showing 10 changed files with 25 additions and 8 deletions.
diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -255,6 +255,8 @@ apiserver_proxy: "true"
 # when set to true, service account tokens can be used from outside the cluster
 # requires apiserver_proxy to be set to "true"
 allow_external_service_accounts: "false"
+# issue service account tokens with expiration time.
+rotate_service_account_tokens: "false"
 
 # use kube-aws-iam-controller for kube-system components
 kube_aws_iam_controller_kube_system_enable: "true"

diff --git a/cluster/manifests/dashboard/deployment.yaml b/cluster/manifests/dashboard/deployment.yaml
@@ -47,3 +47,5 @@ spec:
           readOnlyRootFilesystem: true
           runAsNonRoot: true
           runAsUser: 1000
+      securityContext:
+        fsGroup: 1000
diff --git a/cluster/manifests/external-dns/deployment.yaml b/cluster/manifests/external-dns/deployment.yaml
@@ -65,6 +65,8 @@ spec:
           runAsUser: 65534
           capabilities:
             drop: ["ALL"]
+      securityContext:
+        fsGroup: 65534
 {{ if eq .ConfigItems.kube_aws_iam_controller_kube_system_enable "true"}}
       volumes:
       - name: aws-iam-credentials

diff --git a/cluster/manifests/heapster/deployment.yaml b/cluster/manifests/heapster/deployment.yaml
@@ -24,6 +24,8 @@ spec:
             value: "1"
       priorityClassName: system-cluster-critical
       serviceAccountName: heapster
+      securityContext:
+        fsGroup: 65534
       containers:
         - image: registry.opensource.zalan.do/teapot/heapster:v1.5.4
           name: heapster

diff --git a/cluster/manifests/kube-proxy/configmap.yaml b/cluster/manifests/kube-proxy/configmap.yaml
@@ -24,6 +24,7 @@ data:
     enableProfiling: false
     featureGates:
       TaintBasedEvictions: true
+      BoundServiceAccountTokenVolume: {{ .Cluster.ConfigItems.rotate_service_account_tokens }}
     healthzBindAddress: 0.0.0.0:10256
     hostnameOverride: ""
     iptables:

diff --git a/cluster/manifests/kube-state-metrics/deployment.yaml b/cluster/manifests/kube-state-metrics/deployment.yaml
@@ -47,3 +47,5 @@ spec:
           runAsUser: 65534
           capabilities:
             drop: ["ALL"]
+      securityContext:
+        fsGroup: 65534
diff --git a/cluster/manifests/psp/pod_security_policy.yaml b/cluster/manifests/psp/pod_security_policy.yaml
@@ -43,3 +43,4 @@ spec:
   - persistentVolumeClaim
   - downwardAPI
   - configMap
+  - projected
diff --git a/cluster/manifests/skipper/deployment.yaml b/cluster/manifests/skipper/deployment.yaml
@@ -177,6 +177,8 @@ spec:
               name: skipper-ingress
               key: lightstep-token
 {{ end }}
+      securityContext:
+        fsGroup: 1000
 {{ if eq .ConfigItems.enable_apimonitoring "true"}}
       volumes:
         - name: filters

diff --git a/cluster/node-pools/master-default/userdata.yaml b/cluster/node-pools/master-default/userdata.yaml
@@ -41,11 +41,9 @@ write_files:
 {{- if not (index .Cluster.ConfigItems "enable_cfs_quota") }}
       cpuCFSQuota: false
 {{- end }}
-{{- if ne .NodePool.ConfigItems.pod_max_pids "-1" }}
       featureGates:
-        SupportPodPidsLimit: true
+        BoundServiceAccountTokenVolume: {{ .Cluster.ConfigItems.rotate_service_account_tokens }}
       podPidsLimit: {{ .NodePool.ConfigItems.pod_max_pids }}
-{{- end }}
       maxPods: {{ nodeCIDRMaxPods (parseInt64 .Cluster.ConfigItems.node_cidr_mask_size) 8 }}
       healthzPort: 10248
       healthzBindAddress: "0.0.0.0"
@@ -120,8 +118,12 @@ write_files:
           - --authorization-mode=Webhook,RBAC
           - --authorization-webhook-config-file=/etc/kubernetes/config/authz.yaml
           - --admission-control-config-file=/etc/kubernetes/config/image-policy-webhook.yaml
-          - --feature-gates=TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},TTLAfterFinished=true,CustomResourceWebhookConversion={{.Cluster.ConfigItems.custom_resource_webhook_conversion}},CustomResourcePublishOpenAPI={{.Cluster.ConfigItems.custom_resource_publish_openapi}}
+          - --feature-gates=TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},TTLAfterFinished=true,CustomResourceWebhookConversion={{.Cluster.ConfigItems.custom_resource_webhook_conversion}},CustomResourcePublishOpenAPI={{.Cluster.ConfigItems.custom_resource_publish_openapi}},BoundServiceAccountTokenVolume={{ .Cluster.ConfigItems.rotate_service_account_tokens }}
           - --anonymous-auth=false
+          {{- if eq .Cluster.ConfigItems.rotate_service_account_tokens "true" }}
+          - --service-account-signing-key-file=/etc/kubernetes/ssl/service-account-private-key.pem
+          - --service-account-issuer=kubernetes/serviceaccount
+          {{- end }}
           {{ if ne .Cluster.ConfigItems.audittrail_url "" }}
           - --audit-webhook-config-file=/etc/kubernetes/config/audit.yaml
           - --audit-webhook-mode=batch
@@ -461,7 +463,7 @@ write_files:
           - --root-ca-file=/etc/kubernetes/ssl/ca.pem
           - --cloud-provider=aws
           - --cloud-config=/etc/kubernetes/cloud-config.ini
-          - --feature-gates=TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},TTLAfterFinished=true
+          - --feature-gates=TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},TTLAfterFinished=true,BoundServiceAccountTokenVolume={{ .Cluster.ConfigItems.rotate_service_account_tokens }}
           - --horizontal-pod-autoscaler-use-rest-clients=true
           - --use-service-account-credentials=true
           - --configure-cloud-routes=false
@@ -524,7 +526,7 @@ write_files:
           args:
           - --master=http://127.0.0.1:8080
           - --leader-elect=true
-          - --feature-gates=TaintBasedEvictions=true,TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}}
+          - --feature-gates=TaintBasedEvictions=true,TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},BoundServiceAccountTokenVolume={{ .Cluster.ConfigItems.rotate_service_account_tokens }}
           env:
           - name: KUBE_MAX_PD_VOLS
             value: "26"

diff --git a/cluster/node-pools/worker-default/userdata.yaml b/cluster/node-pools/worker-default/userdata.yaml
@@ -51,11 +51,12 @@ write_files:
       kind: KubeletConfiguration
       clusterDomain: cluster.local
       cpuCFSQuota: false
-{{- if ne .NodePool.ConfigItems.pod_max_pids "-1" }}
       featureGates:
         SupportPodPidsLimit: true
-      podPidsLimit: {{ .NodePool.ConfigItems.pod_max_pids }}
+{{- if eq .Cluster.ConfigItems.rotate_service_account_tokens "true" }}
+        BoundServiceAccountTokenVolume: {{ .Cluster.ConfigItems.rotate_service_account_tokens }}
 {{- end }}
+      podPidsLimit: {{ .NodePool.ConfigItems.pod_max_pids }}
       cpuManagerPolicy: {{ .NodePool.ConfigItems.cpu_manager_policy }}
       maxPods: {{ nodeCIDRMaxPods (parseInt64 .Cluster.ConfigItems.node_cidr_mask_size) 0 }}
       healthzPort: 10248