This repository was archived by the owner on May 16, 2023. It is now read-only.
[elasticsearch]: optionally disable SA token automount#1300
Merged
jmlrt merged 1 commit intoelastic:masterfrom Oct 1, 2021
equinix-ms:elastic-opt-mount-sa-token
Merged
[elasticsearch]: optionally disable SA token automount#1300jmlrt merged 1 commit intoelastic:masterfrom equinix-ms:elastic-opt-mount-sa-token
jmlrt merged 1 commit intoelastic:masterfrom
equinix-ms:elastic-opt-mount-sa-token
Conversation
Collaborator
|
Since this is a community submitted pull request, a Jenkins build has not been kicked off automatically. Can an Elastic organization member please verify the contents of this patch and then kick off a build manually? |
jonkerj
changed the title
jonkerj
changed the title
Contributor
Author
|
Hi devs, is there anything I can do to get this ball rolling? |
Contributor
Author
|
Rebased/cherry-picked to 7.14 |
Contributor
Author
|
Hi devs, I'd really like someone to take a look at this security fix. Is there anything I can do to get this fixed? |
Contributor
Author
|
@jmlrt any chance you could take a look at this PR? Looks like you are an active dev here, and I'd really like this feature at least considered 😉 |
jmlrt
suggested changes
Sep 16, 2021
Member
jmlrt
left a comment
jmlrt
left a comment
There was a problem hiding this comment.
Hi @jonkerj, sorry for the late answer.
This PR makes sense, however I have a few comments:
- unless cases where a change is only valid for a specific version, PR should be opened to master branch then Elastic handle the backport to the other branches
- the default value should be True to avoid a breaking change
|
💚 CLA has been signed |
Contributor
Author
|
Better late than never ;-) I've (re-)signed the CLA, fixed both things, and force pushed. Should be good now. |
jonkerj
changed the title
Member
|
jenkins test this please |
jmlrt
suggested changes
Sep 20, 2021
Member
jmlrt
left a comment
jmlrt
left a comment
There was a problem hiding this comment.
Some changes are required to make Black formatter happy in elastic+helm-charts+pull-request+lint-python/1093.
Can you run black elasticsearch/tests/elasticsearch_test.py?
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>
Contributor
Author
|
done |
Member
|
jenkins test this please |
Contributor
Author
|
@jmlrt : is there anything else I can do? |
Member
|
Hi @jonkerj, sorry the PR is approved but CI tests are broken for now. |
jmlrt
pushed a commit
to jmlrt/helm-charts
that referenced
this pull request
Oct 7, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>
jmlrt
pushed a commit
to jmlrt/helm-charts
that referenced
this pull request
Oct 7, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>
jmlrt
pushed a commit
to jmlrt/helm-charts
that referenced
this pull request
Oct 7, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>
jmlrt
pushed a commit
to jmlrt/helm-charts
that referenced
this pull request
Oct 7, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>
jmlrt
added a commit
that referenced
this pull request
Oct 11, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com> Co-authored-by: Jorik Jonker <jorik@kippendief.biz>
jmlrt
added a commit
that referenced
this pull request
Oct 11, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com> Co-authored-by: Jorik Jonker <jorik@kippendief.biz>
jmlrt
added a commit
that referenced
this pull request
Oct 12, 2021
ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com> Co-authored-by: Jorik Jonker <jorik@kippendief.biz>
This was referenced Dec 14, 2021
Merged
Merged
Merged
This was referenced Sep 14, 2022
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of the change
It disables the automounting of the service account token in the pod. Elastic does not need this by itself. This commit disables it by default, but leaves it configurable if anyone needs to use it.
Benefits
By disabling the automount, potential attackers cannot access the Kubernetes API on behalf/through the pod.
Possible drawbacks
If anyone is using some sidecar or plugin to access the Kubernetes API, they will have to explicitly enable (
--set rbac.automountToken=true) the automount of the SA token in the values.Applicable issues
#1330
${CHART}/tests/*.py${CHART}/examples/*/test/goss.yaml