[kibana] optionally disable SA token automount (#1301) (#1481)

Kibana has no direct interaction with the Kubernetes API, and as such,
it does not need a mounted service account token in its pods. By
disabling this automount, potential attackers cannot access the API on
behalf/through the Pod.

This commit allows users to opt out on SA token automount, but leaves
leaves current behaviour untouched to avoid breaking things.

Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>

Co-authored-by: Jorik Jonker <jorik@kippendief.biz>

kibana/README.md

@@ -82,6 +82,7 @@ as a reference. They are also used in the automated testing of this chart.
 | Parameter             | Description                                                                                                                                                                                    | Default                            |
 |-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------|
 | `affinity`            | Configurable [affinity][]                                                                                                                                                                      | `{}`                               |
+| `automountToken`      | Whether or not to automount the service account token in the Pod                                                                                                                               | `true`                             |
 | `elasticsearchHosts`  | The URLs used to connect to Elasticsearch                                                                                                                                                      | `http://elasticsearch-master:9200` |
 | `envFrom`             | Templatable string to be passed to the [environment from variables][] which will be appended to the `envFrom:` definition for the container                                                    | `[]`                               |
 | `extraContainers`     | Templatable string of additional containers to be passed to the `tpl` function                                                                                                                 | `""`                               |

kibana/templates/deployment.yaml

@@ -28,6 +28,7 @@ spec:
         configchecksum: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum | trunc 63 }}
         {{- end }}
     spec:
+      automountServiceAccountToken: {{ .Values.automountToken }}
 {{- if .Values.priorityClassName }}
       priorityClassName: {{ .Values.priorityClassName }}
 {{- end }}

kibana/tests/kibana_test.py

@@ -777,3 +777,28 @@ def test_hostaliases():
     r = helm_template(config)
     hostAliases = r["deployment"][name]["spec"]["template"]["spec"]["hostAliases"]
     assert {"ip": "127.0.0.1", "hostnames": ["foo.local", "bar.local"]} in hostAliases
+
+
+def test_default_automount_sa_token():
+    config = """
+"""
+    r = helm_template(config)
+    assert (
+        r["deployment"][name]["spec"]["template"]["spec"][
+            "automountServiceAccountToken"
+        ]
+        == True
+    )
+
+
+def test_disable_automount_sa_token():
+    config = """
+automountToken: false
+"""
+    r = helm_template(config)
+    assert (
+        r["deployment"][name]["spec"]["template"]["spec"][
+            "automountServiceAccountToken"
+        ]
+        == False
+    )

kibana/values.yaml

@@ -81,6 +81,9 @@ securityContext:
 
 serviceAccount: ""
 
+# Whether or not to automount the service account token in the pod. Normally, Kibana does not need this
+automountToken: true
+
 # This is the PriorityClass settings as defined in
 # https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
 priorityClassName: ""