Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Commit

Permalink
[elasticsearch]: optionally disable SA token automount
Browse files Browse the repository at this point in the history 
ES has no direct interaction with the Kubernetes API, and as such, it
does not need a mounted service account token in its pods. By disabling
this automount, potential attackers cannot access the API on
behalf/through the Pod.

This commit allows users to opt out on SA token automount. It leaves the
current behaviour unchanged, to avoid breaking things.

Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>
  • Loading branch information
@jonkerj
jonkerj committed Sep 20, 2021
1 parent e17ad81 commit 6d7332a
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 1 deletion.
2 changes: 1 addition & 1 deletion elasticsearch/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,7 +151,7 @@ support multiple versions with minimal changes.
| `podSecurityPolicy` | Configuration for create a pod security policy with minimal permissions to run this Helm chart with `create: true`. Also can be used to reference an external pod security policy with `name: "externalPodSecurityPolicy"` | see [values.yaml][] |
| `priorityClassName` | The name of the [PriorityClass][]. No default is supplied as the PriorityClass must be created first | `""` |
| `protocol` | The protocol that will be used for the readiness [probe][]. Change this to `https` if you have `xpack.security.http.ssl.enabled` set | `http` |
| `rbac` | Configuration for creating a role, role binding and ServiceAccount as part of this Helm chart with `create: true`. Also can be used to reference an external ServiceAccount with `serviceAccountName: "externalServiceAccountName"` | see [values.yaml][] |
| `rbac` | Configuration for creating a role, role binding and ServiceAccount as part of this Helm chart with `create: true`. Also can be used to reference an external ServiceAccount with `serviceAccountName: "externalServiceAccountName"`, or automount the service account token | see [values.yaml][] |
| `readinessProbe` | Configuration fields for the readiness [probe][] | see [values.yaml][] |
| `replicas` | Kubernetes replica count for the StatefulSet (i.e. how many pods) | `3` |
| `resources` | Allows you to set the [resources][] for the StatefulSet | see [values.yaml][] |
Expand Down
1 change: 1 addition & 0 deletions elasticsearch/templates/statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ spec:
{{- else if not (eq .Values.rbac.serviceAccountName "") }}
serviceAccountName: {{ .Values.rbac.serviceAccountName | quote }}
{{- end }}
automountServiceAccountToken: {{ .Values.rbac.automountToken }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 6 }}
Expand Down
26 changes: 26 additions & 0 deletions elasticsearch/tests/elasticsearch_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1420,3 +1420,29 @@ def test_network_policy():
]
assert transport["ports"][0]["port"] == 9300
assert pod_selector == {"matchLabels": {"app": "elasticsearch-master",}}


def test_default_automount_sa_token():
config = """
"""
r = helm_template(config)
assert (
r["statefulset"][uname]["spec"]["template"]["spec"][
"automountServiceAccountToken"
]
== True
)


def test_disable_automount_sa_token():
config = """
rbac:
automountToken: false
"""
r = helm_template(config)
assert (
r["statefulset"][uname]["spec"]["template"]["spec"][
"automountServiceAccountToken"
]
== False
)
1 change: 1 addition & 0 deletions elasticsearch/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,6 +104,7 @@ rbac:
create: false
serviceAccountAnnotations: {}
serviceAccountName: ""
automountToken: true

podSecurityPolicy:
create: false
Expand Down

0 comments on commit 6d7332a

Please sign in to comment.