This repository has been archived by the owner on May 16, 2023. It is now read-only.
[elasticsearch]: optionally disable SA token automount #1300
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
jonkerj
changed the title
jonkerj
force-pushed
the
elastic-opt-mount-sa-token
branch
from
f802e01
to
b90e320
Compare
jonkerj
changed the title
|
Hi devs, is there anything I can do to get this ball rolling? |
jonkerj
force-pushed
the
elastic-opt-mount-sa-token
branch
from
b90e320
to
9b0c798
Compare
|
Rebased/cherry-picked to 7.14 |
|
Hi devs, I'd really like someone to take a look at this security fix. Is there anything I can do to get this fixed? |
|
@jmlrt any chance you could take a look at this PR? Looks like you are an active dev here, and I'd really like this feature at least considered 😉 |
jmlrt
suggested changes
Sep 16, 2021
There was a problem hiding this comment.
Hi @jonkerj, sorry for the late answer.
This PR makes sense, however I have a few comments:
- unless cases where a change is only valid for a specific version, PR should be opened to master branch then Elastic handle the backport to the other branches
- the default value should be True to avoid a breaking change
jonkerj
force-pushed
the
elastic-opt-mount-sa-token
branch
from
9b0c798
to
f2a4049
Compare
|
💚 CLA has been signed |
jonkerj
force-pushed
the
elastic-opt-mount-sa-token
branch
from
f2a4049
to
b3a4cf7
Compare
|
Better late than never ;-) I've (re-)signed the CLA, fixed both things, and force pushed. Should be good now. |
jonkerj
force-pushed
the
elastic-opt-mount-sa-token
branch
from
b3a4cf7
to
9b877d3
Compare
jonkerj
changed the title
|
jenkins test this please |
jmlrt
suggested changes
Sep 20, 2021
There was a problem hiding this comment.
Some changes are required to make Black formatter happy in elastic+helm-charts+pull-request+lint-python/1093.
Can you run black elasticsearch/tests/elasticsearch_test.py?
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <[email protected]>
jonkerj
force-pushed
the
elastic-opt-mount-sa-token
branch
from
9b877d3
to
6d7332a
Compare
|
done |
|
jenkins test this please |
|
@jmlrt : is there anything else I can do? |
|
Hi @jonkerj, sorry the PR is approved but CI tests are broken for now. |
jmlrt
pushed a commit
to jmlrt/helm-charts
that referenced
this pull request
Oct 7, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <[email protected]>
jmlrt
pushed a commit
to jmlrt/helm-charts
that referenced
this pull request
Oct 7, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <[email protected]>
jmlrt
pushed a commit
to jmlrt/helm-charts
that referenced
this pull request
Oct 7, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <[email protected]>
jmlrt
pushed a commit
to jmlrt/helm-charts
that referenced
this pull request
Oct 7, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <[email protected]>
jmlrt
added a commit
that referenced
this pull request
Oct 11, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <[email protected]> Co-authored-by: Jorik Jonker <[email protected]>
jmlrt
added a commit
that referenced
this pull request
Oct 11, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <[email protected]> Co-authored-by: Jorik Jonker <[email protected]>
jmlrt
added a commit
that referenced
this pull request
Oct 12, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <[email protected]> Co-authored-by: Jorik Jonker <[email protected]>
This was referenced Dec 14, 2021
Merged
Merged
Merged
This was referenced Sep 14, 2022
Merged
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of the change
It disables the automounting of the service account token in the pod. Elastic does not need this by itself. This commit disables it by default, but leaves it configurable if anyone needs to use it.
Benefits
By disabling the automount, potential attackers cannot access the Kubernetes API on behalf/through the pod.
Possible drawbacks
If anyone is using some sidecar or plugin to access the Kubernetes API, they will have to explicitly enable (
--set rbac.automountToken=true) the automount of the SA token in the values.Applicable issues
#1330
${CHART}/tests/*.py${CHART}/examples/*/test/goss.yaml