[kibana] optionally disable SA token automount #1301
Conversation
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
|
Hi devs, is there anything I can do to get this ball rolling? |
jonkerj
force-pushed
the
kibana-opt-mount-sa-token
branch
from
5f6586b to
70803f2
Compare
|
Rebased/cherry-picked to 7.14 |
|
Hi devs, I'd really like someone to take a look at this security fix. Is there anything I can do to get this fixed? |
|
@jmlrt any chance you could take a look at this PR? Looks like you are an active dev here, and I'd really like this feature at least considered 😉 |
There was a problem hiding this comment.
Hi @jonkerj, sorry for the late answer.
This PR makes sense, however I have a few comments:
- unless cases where a change is only valid for a specific version, PR should be opened to master branch then Elastic handle the backport to the other branches
- the default value should be True to avoid a breaking change
Also I don't know if we should migrate the way we configure service accounts to be like elasticsearch chart with a rbac value before this change. I would to think about it.
jonkerj
force-pushed
the
kibana-opt-mount-sa-token
branch
from
70803f2 to
a438600
Compare
|
💚 CLA has been signed |
|
Hi there, same here: I've (re)signed the CLA, rebased and changed the default. Should be good now |
jonkerj
force-pushed
the
kibana-opt-mount-sa-token
branch
from
a438600 to
44b4c5c
Compare
jonkerj
changed the title
|
jenkins test this please |
There was a problem hiding this comment.
Some changes are required to make Black formatter happy in elastic+helm-charts+pull-request+lint-python/1092.
Can you run black kibana/tests/kibana_test.py?
Kibana has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount, but leaves leaves current behaviour untouched to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>
jonkerj
force-pushed
the
kibana-opt-mount-sa-token
branch
from
44b4c5c to
b2dbad1
Compare
|
done |
|
jenkins test this please |
|
@jmlrt : is there anything else I can do? |
|
Hi @jonkerj, sorry the PR is approved but CI tests are broken for now. |
Kibana has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount, but leaves leaves current behaviour untouched to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>
Kibana has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount, but leaves leaves current behaviour untouched to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>
Kibana has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount, but leaves leaves current behaviour untouched to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com> Co-authored-by: Jorik Jonker <jorik@kippendief.biz>
Kibana has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount, but leaves leaves current behaviour untouched to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com> Co-authored-by: Jorik Jonker <jorik@kippendief.biz>
Benefits
By disabling the automount, potential attackers cannot access the Kubernetes API on behalf/through the pod.
Possible drawbacks
If anyone is using some sidecar or plugin to access the Kubernetes API, they will have to explicitly enable (
--set automountToken=true) the automount of the SA token in the values.Applicable issues
#1330
${CHART}/tests/*.py${CHART}/examples/*/test/goss.yaml