From a1823d1007ff71cacbf458d41c85b2341736c9f8 Mon Sep 17 00:00:00 2001 From: Jorik Jonker Date: Fri, 1 Oct 2021 10:25:12 +0200 Subject: [PATCH] [elasticsearch]: optionally disable SA token automount (#1300) ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker --- elasticsearch/README.md | 2 +- elasticsearch/templates/statefulset.yaml | 1 + elasticsearch/tests/elasticsearch_test.py | 26 +++++++++++++++++++++++ elasticsearch/values.yaml | 1 + 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/elasticsearch/README.md b/elasticsearch/README.md index 23fc51dcd..53ec45dc4 100644 --- a/elasticsearch/README.md +++ b/elasticsearch/README.md @@ -152,7 +152,7 @@ support multiple versions with minimal changes. | `podSecurityPolicy` | Configuration for create a pod security policy with minimal permissions to run this Helm chart with `create: true`. Also can be used to reference an external pod security policy with `name: "externalPodSecurityPolicy"` | see [values.yaml][] | | `priorityClassName` | The name of the [PriorityClass][]. No default is supplied as the PriorityClass must be created first | `""` | | `protocol` | The protocol that will be used for the readiness [probe][]. Change this to `https` if you have `xpack.security.http.ssl.enabled` set | `http` | -| `rbac` | Configuration for creating a role, role binding and ServiceAccount as part of this Helm chart with `create: true`. Also can be used to reference an external ServiceAccount with `serviceAccountName: "externalServiceAccountName"` | see [values.yaml][] | +| `rbac` | Configuration for creating a role, role binding and ServiceAccount as part of this Helm chart with `create: true`. Also can be used to reference an external ServiceAccount with `serviceAccountName: "externalServiceAccountName"`, or automount the service account token | see [values.yaml][] | | `readinessProbe` | Configuration fields for the readiness [probe][] | see [values.yaml][] | | `replicas` | Kubernetes replica count for the StatefulSet (i.e. how many pods) | `3` | | `resources` | Allows you to set the [resources][] for the StatefulSet | see [values.yaml][] | diff --git a/elasticsearch/templates/statefulset.yaml b/elasticsearch/templates/statefulset.yaml index e3a34c513..29db942b5 100644 --- a/elasticsearch/templates/statefulset.yaml +++ b/elasticsearch/templates/statefulset.yaml @@ -74,6 +74,7 @@ spec: {{- else if not (eq .Values.rbac.serviceAccountName "") }} serviceAccountName: {{ .Values.rbac.serviceAccountName | quote }} {{- end }} + automountServiceAccountToken: {{ .Values.rbac.automountToken }} {{- with .Values.tolerations }} tolerations: {{ toYaml . | indent 6 }} diff --git a/elasticsearch/tests/elasticsearch_test.py b/elasticsearch/tests/elasticsearch_test.py index 29ba2a210..d0c7319fc 100755 --- a/elasticsearch/tests/elasticsearch_test.py +++ b/elasticsearch/tests/elasticsearch_test.py @@ -1486,3 +1486,29 @@ def test_network_policy(): ] assert transport["ports"][0]["port"] == 9300 assert pod_selector == {"matchLabels": {"app": "elasticsearch-master",}} + + +def test_default_automount_sa_token(): + config = """ +""" + r = helm_template(config) + assert ( + r["statefulset"][uname]["spec"]["template"]["spec"][ + "automountServiceAccountToken" + ] + == True + ) + + +def test_disable_automount_sa_token(): + config = """ +rbac: + automountToken: false +""" + r = helm_template(config) + assert ( + r["statefulset"][uname]["spec"]["template"]["spec"][ + "automountServiceAccountToken" + ] + == False + ) diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index 7a0a7d99c..0fbc6c423 100755 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -100,6 +100,7 @@ rbac: create: false serviceAccountAnnotations: {} serviceAccountName: "" + automountToken: true podSecurityPolicy: create: false