You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, the webhook uses the value of --token-mount-path (default /var/run/secrets/eks.amazonaws.com/serviceaccount/token) to determine where inside the pod the token file should be mounted.
Instead, I would like the ability for the path to the token file to contain a random element (eg. /var/run/secrets/eks.amazonaws.com/serviceaccount/token-<uuid>).
Why is this needed:
To prevent Local File Inclusion attacks. If an attacker knows where the file is and has gained the ability to read files from disk, they can read the token file and potentially assume a role that trusts the service account. If the path is random then they can't do that.
I'm checking to see if you would be willing to accept a PR for this feature. If so, I would be happy to submit one.
The text was updated successfully, but these errors were encountered:
What would you like to be added:
Currently, the webhook uses the value of
--token-mount-path(default/var/run/secrets/eks.amazonaws.com/serviceaccount/token) to determine where inside the pod the token file should be mounted.Instead, I would like the ability for the path to the token file to contain a random element (eg.
/var/run/secrets/eks.amazonaws.com/serviceaccount/token-<uuid>).Why is this needed:
To prevent Local File Inclusion attacks. If an attacker knows where the file is and has gained the ability to read files from disk, they can read the token file and potentially assume a role that trusts the service account. If the path is random then they can't do that.
I'm checking to see if you would be willing to accept a PR for this feature. If so, I would be happy to submit one.
The text was updated successfully, but these errors were encountered: