Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

automountServiceAccountToken to false? #12

Open
samc1213 opened this issue Aug 1, 2024 · 1 comment
Open

automountServiceAccountToken to false? #12

samc1213 opened this issue Aug 1, 2024 · 1 comment

Comments

@samc1213
Copy link

samc1213 commented Aug 1, 2024
edited
Loading

I am not deeply familiar with the scope of the pod security admission policies. However, it seems that setting automountServiceAccountToken to true (the default) on a pod spec can allow a pod to escalate privileges via kubernetes API access. Is there a reason there is not a rule for this pod spec configuration in the Pod Security Standards?
@joebowbeer
Copy link

joebowbeer commented Aug 1, 2024
edited
Loading

According to its description, this repo implements the pod security standards (PSS), which do not include an automountServiceAccountToken restriction:

https://kubernetes.io/docs/concepts/security/pod-security-standards/

While I think the ability to restrict automountServiceAccountToken would be helpful in a general purpose admission policy library, which this apparently is not, I don't think it would be feasible to enforce it in all namespaces at this time, for the reasons explained here:

nginxinc/kubernetes-ingress#3562 (comment)

Before it could be enforced cluster-wide, nginx and a lot of other popular controllers would need to change the way they obtain their token.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joebowbeer @samc1213