From a0b6b6b1562dcc63d25e254538781ad09e442366 Mon Sep 17 00:00:00 2001 From: Jorik Jonker Date: Tue, 12 Oct 2021 13:58:49 +0200 Subject: [PATCH] [kibana] optionally disable SA token automount (#1301) Kibana has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount, but leaves leaves current behaviour untouched to avoid breaking things. Signed-off-by: Jorik Jonker --- kibana/README.md | 1 + kibana/templates/deployment.yaml | 1 + kibana/tests/kibana_test.py | 25 +++++++++++++++++++++++++ kibana/values.yaml | 3 +++ 4 files changed, 30 insertions(+) diff --git a/kibana/README.md b/kibana/README.md index bfb9bb35f..54f95b6db 100644 --- a/kibana/README.md +++ b/kibana/README.md @@ -82,6 +82,7 @@ as a reference. They are also used in the automated testing of this chart. | Parameter | Description | Default | |-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------| | `affinity` | Configurable [affinity][] | `{}` | +| `automountToken` | Whether or not to automount the service account token in the Pod | `true` | | `elasticsearchHosts` | The URLs used to connect to Elasticsearch | `http://elasticsearch-master:9200` | | `envFrom` | Templatable string to be passed to the [environment from variables][] which will be appended to the `envFrom:` definition for the container | `[]` | | `extraContainers` | Templatable string of additional containers to be passed to the `tpl` function | `""` | diff --git a/kibana/templates/deployment.yaml b/kibana/templates/deployment.yaml index 71703271f..872876903 100644 --- a/kibana/templates/deployment.yaml +++ b/kibana/templates/deployment.yaml @@ -28,6 +28,7 @@ spec: configchecksum: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }} {{- end }} spec: + automountServiceAccountToken: {{ .Values.automountToken }} {{- if .Values.priorityClassName }} priorityClassName: {{ .Values.priorityClassName }} {{- end }} diff --git a/kibana/tests/kibana_test.py b/kibana/tests/kibana_test.py index a7411f358..4ffe56665 100644 --- a/kibana/tests/kibana_test.py +++ b/kibana/tests/kibana_test.py @@ -756,3 +756,28 @@ def test_hostaliases(): r = helm_template(config) hostAliases = r["deployment"][name]["spec"]["template"]["spec"]["hostAliases"] assert {"ip": "127.0.0.1", "hostnames": ["foo.local", "bar.local"]} in hostAliases + + +def test_default_automount_sa_token(): + config = """ +""" + r = helm_template(config) + assert ( + r["deployment"][name]["spec"]["template"]["spec"][ + "automountServiceAccountToken" + ] + == True + ) + + +def test_disable_automount_sa_token(): + config = """ +automountToken: false +""" + r = helm_template(config) + assert ( + r["deployment"][name]["spec"]["template"]["spec"][ + "automountServiceAccountToken" + ] + == False + ) diff --git a/kibana/values.yaml b/kibana/values.yaml index bc1366c21..e11286727 100755 --- a/kibana/values.yaml +++ b/kibana/values.yaml @@ -81,6 +81,9 @@ securityContext: serviceAccount: "" +# Whether or not to automount the service account token in the pod. Normally, Kibana does not need this +automountToken: true + # This is the PriorityClass settings as defined in # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass priorityClassName: ""