kanister icon indicating copy to clipboard operation
kanister copied to clipboard

Published 20 hours ago verified publisher icon kanisterio

Harden Job Pod Service Account RBAC Settings

Open ihcsim opened this issue 2 years ago • 10 comments

The job pod should be updated to use the namespace default service account if none is specified by the user, following the Kubernetes Job model. By default, the pod should also run with spec.automountServiceAccountToken: false to NOT automatically mounted the service account credentials. Most job pod shouldn't need direct interaction with the Kubernetes API server. When it does, the pod should be using an ephemeral projected ServiceAccountToken.

ihcsim avatar Jul 11 '22 15:07 ihcsim

Thanks for opening this issue :+1:. The team will review it shortly.

If this is a bug report, make sure to include clear instructions how on to reproduce the problem with minimal reproducible examples, where possible. If this is a security report, please review our security policy as outlined in SECURITY.md.

If you haven't already, please take a moment to review our project's Code of Conduct document.

github-actions[bot] avatar Jul 11 '22 15:07 github-actions[bot]

This issue is marked as stale due to inactivity. Add a new comment to reactivate it.

github-actions[bot] avatar Sep 10 '22 00:09 github-actions[bot]

@ihcsim can I work on this issue ?

Sagar2366 avatar Oct 02 '22 03:10 Sagar2366

@Sagar2366 the code change for this is relatively simple, but a number of example blueprints will need to be updated. E.g., this etcd blueprint assumes that the job pod uses a service account that has permission to run kubectl exec against etcd pods. In this example blueprint, it uses the controller's service account. Making this change will require updating the blueprints to use the podOverride argument, to provide a service account with the appropriate RBAC permissions.

Furthermore, due to its breaking change nature, it isn't something that we can roll out immediately. We will need to give the community sufficient notice before rolling out this change.

Let me know if you are still interested in working on it.

ihcsim avatar Oct 03 '22 22:10 ihcsim

@ihcsim thank you for the inputs. I am still ramping up and trying to understand the project, so please guide me along the way as you're doing. Yes, I am still interested to work on it.

Sagar2366 avatar Oct 04 '22 00:10 Sagar2366

@Sagar2366 Thanks again for your interest. @pavannd1 and I will go over how to handle this breaking change. I do think it's important that this gets fixed. Will keep you posted.

Meanwhile, you can try out Kanister on your local cluster following the installation instructions here. Then follow this short tutorial to see Kanister in action. (The tutorial uses a KubeExec Function, you may wanna try with KubeTask since it's directly relevant to this issue.)

ihcsim avatar Oct 04 '22 18:10 ihcsim

Sure @ihcsim.

Sagar2366 avatar Oct 05 '22 17:10 Sagar2366

To be discussed internally with downstream users.

pavannd1 avatar Nov 09 '22 18:11 pavannd1

This issue is marked as stale due to inactivity. Add a new comment to reactivate it.

github-actions[bot] avatar Jan 09 '23 00:01 github-actions[bot]

This issue is closed due to inactivity. Feel free to reopen it, if it's still relevant.

github-actions[bot] avatar Feb 09 '23 00:02 github-actions[bot]