Skip to content
This repository has been archived by the owner on May 16, 2023. It is now read-only.

Commit

Permalink
[elasticsearch]: optionally disable SA token automount (#1300) (#1394)
Browse files Browse the repository at this point in the history
ES has no direct interaction with the Kubernetes API, and as such, it
does not need a mounted service account token in its pods. By disabling
this automount, potential attackers cannot access the API on
behalf/through the Pod.

This commit allows users to opt out on SA token automount. It leaves the
current behaviour unchanged, to avoid breaking things.

Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>

Co-authored-by: Jorik Jonker <jorik@kippendief.biz>
  • Loading branch information
jmlrt and jonkerj authored Oct 12, 2021
1 parent 61ccb9a commit a8d5ee2
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 1 deletion.
2 changes: 1 addition & 1 deletion elasticsearch/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,7 @@ support multiple versions with minimal changes.
| `podSecurityPolicy` | Configuration for create a pod security policy with minimal permissions to run this Helm chart with `create: true`. Also can be used to reference an external pod security policy with `name: "externalPodSecurityPolicy"` | see [values.yaml][] |
| `priorityClassName` | The name of the [PriorityClass][]. No default is supplied as the PriorityClass must be created first | `""` |
| `protocol` | The protocol that will be used for the readiness [probe][]. Change this to `https` if you have `xpack.security.http.ssl.enabled` set | `http` |
| `rbac` | Configuration for creating a role, role binding and ServiceAccount as part of this Helm chart with `create: true`. Also can be used to reference an external ServiceAccount with `serviceAccountName: "externalServiceAccountName"` | see [values.yaml][] |
| `rbac` | Configuration for creating a role, role binding and ServiceAccount as part of this Helm chart with `create: true`. Also can be used to reference an external ServiceAccount with `serviceAccountName: "externalServiceAccountName"`, or automount the service account token | see [values.yaml][] |
| `readinessProbe` | Configuration fields for the readiness [probe][] | see [values.yaml][] |
| `replicas` | Kubernetes replica count for the StatefulSet (i.e. how many pods) | `3` |
| `resources` | Allows you to set the [resources][] for the StatefulSet | see [values.yaml][] |
Expand Down
1 change: 1 addition & 0 deletions elasticsearch/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ spec:
{{- else if not (eq .Values.rbac.serviceAccountName "") }}
serviceAccountName: {{ .Values.rbac.serviceAccountName | quote }}
{{- end }}
automountServiceAccountToken: {{ .Values.rbac.automountToken }}
{{- with .Values.tolerations }}
tolerations:
{{ toYaml . | indent 6 }}
Expand Down
26 changes: 26 additions & 0 deletions elasticsearch/tests/elasticsearch_test.py
Original file line number Diff line number Diff line change
Expand Up @@ -1486,3 +1486,29 @@ def test_network_policy():
]
assert transport["ports"][0]["port"] == 9300
assert pod_selector == {"matchLabels": {"app": "elasticsearch-master",}}


def test_default_automount_sa_token():
config = """
"""
r = helm_template(config)
assert (
r["statefulset"][uname]["spec"]["template"]["spec"][
"automountServiceAccountToken"
]
== True
)


def test_disable_automount_sa_token():
config = """
rbac:
automountToken: false
"""
r = helm_template(config)
assert (
r["statefulset"][uname]["spec"]["template"]["spec"][
"automountServiceAccountToken"
]
== False
)
1 change: 1 addition & 0 deletions elasticsearch/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ rbac:
create: false
serviceAccountAnnotations: {}
serviceAccountName: ""
automountToken: true

podSecurityPolicy:
create: false
Expand Down

0 comments on commit a8d5ee2

Please sign in to comment.