This repository was archived by the owner on May 16, 2023. It is now read-only.
This repository was archived by the owner on May 16, 2023. It is now read-only.
[kibana / elasticsearch] kubernetes service account token is mounted in pod #1330
Description
Chart version:
All (7.14.0 currently)
Kubernetes version:
All (1.21.4 in my case)
Kubernetes provider: E.g. GKE (Google Kubernetes Engine)
Talos on bare metal
Helm Version:
3.5.2
helm get release output
n/a
Describe the bug:
The Kibana and ElasticSearch chart mount the Kubernetes ServiceAccount token in the pod by default. Since they do not require access to the Kubernetes API, this is an unneeded attack surface. Potential attackers could access the K8S API on behalf of the Pod.
Steps to reproduce:
- Install the chart
kubectl describe -n <ns> <pod>- Observe a mount at
/var/run/secrets/kubernetes.io/serviceaccount
Expected behavior:
No mounted SA.
Provide logs and/or server output (if relevant):
n/a
Any additional context:
I've created two PRs to fix this (#1300 and #1301). Maybe someone could look into these.