linkerd2 icon indicating copy to clipboard operation
linkerd2 copied to clipboard
verified publisher icon linkerd

Manually mount serviceAccount token

Open Aransh opened this issue 1 year ago • 5 comments

Subject Disables "automountServiceAccountToken", instead manually mounts it as a projected volume where necessary

Problem By default, kubernetes enables "automountServiceAccountToken" for all pods. This poses a security risk, as pods might get kube-api permissions unintentionally. More specifically, this fails security compliance tests: https://learn.microsoft.com/en-us/azure/governance/policy/samples/built-in-policies https://www.azadvertizer.net/azpolicyadvertizer/kubernetes_block-automount-token.html

Solution Disable "automountServiceAccountToken", create projected volume for the token, and mount it on relevant containers

Validation Linkerd pods are able to access k8s API, work as expected (same as before)

Fixes #13108

Aransh avatar Oct 15 '24 15:10 Aransh

@alpeb I can gladly add that, but I don't currently use any of them, so would be difficult to figure out what’s required... Could you help with pointing out which containers need kube-api access and which don't?

Also I need to see if I can figure out what's causing the CI to fail currently, will try and take a look next week

Aransh avatar Oct 17 '24 23:10 Aransh

Thanks again for the help @Aransh ! Here's the info you need:

  • In the linkerd-viz and linkerd-jaeger charts, all workloads require kube-api access
  • In multicluster's linkerd-multicluster chart, the gateway workload does not require kube-api access but the namespace-metadata one does
  • In multicluster's linkerd-multicluster-link chart, the service-mirror workload requires kube-api access

BTW, CI had one flaky test, but it's looking good now :+1:

alpeb avatar Oct 18 '24 15:10 alpeb

Thanks for the CI clarification 😃

When you say "workload", you mean pod essentially? Keep in mind the token mounting is done per container, or do these workloads all have a single container?

If not/you’re not sure, I can just mount it to all containers, I'd just prefer to do it as precise as I can For the linkers-control-plane for instance non of the init containers required it, and some of the containers too

Aransh avatar Oct 18 '24 15:10 Aransh

Yeah these are all single-container pods (not counting the proxy and init containers, which don't require any changes).

alpeb avatar Oct 18 '24 16:10 alpeb

Got it, will mount on all containers except init and proxy then, probably will handle Tuesday. Thanks!

Aransh avatar Oct 18 '24 19:10 Aransh

@alpeb Updated for linkerd-viz, linkerd-jaeger, linkerd-multicluster, and linkerd-multicluster-link as you requested. I want to mention again I have not tested these as I don't use these charts, but they should see no difference as they all have the token manually mounted, except for the "linkerd-multicluster" gateway workload

Aransh avatar Oct 22 '24 08:10 Aransh

I see it's failing for mismatch with templates again, but running go test ./cli/cmd/... --update as mentioned in docs doesn't seem to change anything after my latest commits... Am I missing something?

Aransh avatar Oct 22 '24 10:10 Aransh

Turns out those docs are outdated... the right command is go test ./... -update

alpeb avatar Oct 22 '24 14:10 alpeb

@alpeb updated

Aransh avatar Oct 22 '24 15:10 Aransh