search

SAP-archive / karydia

Kubernetes Security Walnut
Other
77 stars 10 forks source link

Service Account Token is Mounted #165

Closed CodeClinch closed 5 years ago

CodeClinch commented 5 years ago

Description

After installation of karydia the service account token still gets mounted. This shouldn't be the case.

Steps to reproduce

  1. Install karydia

  2. create namespace demo

  3. start pod kubectl run -it --rm --restart=Never alpine --image=alpine sh -n demo

  4. kubectl describe pod/alpine -n demo Containers: alpine2: Container ID: docker://97a60c50df9a54e98b79829b58f5628fa9b7da08fa022895897989611a630a79 Image: alpine Image ID: docker-pullable://alpine@sha256:ca1c944a4f8486a153024d9965aafbe24f5723c1d5c02f4964c045a16d19dc54 Port: Host Port: Args: sh State: Running Started: Thu, 11 Jul 2019 13:46:23 +0200 Ready: True Restart Count: 0 Environment: Mounts: /var/run/secrets/kubernetes.io/serviceaccount from default-token-27sll (ro)

  5. Config Name: karydia-config Namespace:
    Labels: app=karydia Annotations: API Version: karydia.gardener.cloud/v1alpha1 Kind: KarydiaConfig Metadata: Creation Timestamp: 2019-07-11T07:37:03Z Generation: 1 Resource Version: 40308 Self Link: /apis/karydia.gardener.cloud/v1alpha1/karydiaconfigs/karydia-config UID: 78db2b8e-65cd-483a-8721-745893b1a227 Spec: Automount Service Account Token: change-default Network Policy: kube-system:karydia-default-network-policy Pod Security Context: nobody Seccomp Profile: runtime/default Events:

  6. kubectl edit pod/alpine2 -n demo apiVersion: v1 kind: Pod metadata: annotations: cni.projectcalico.org/podIP: 100.96.0.18/32 karydia.gardener.cloud/podSecurityContext.internal: config/nobody karydia.gardener.cloud/seccompProfile.internal: config/runtime/default kubernetes.io/psp: gardener.privileged seccomp.security.alpha.kubernetes.io/pod: runtime/default creationTimestamp: "2019-07-11T11:46:21Z" labels: run: alpine2 name: alpine2 namespace: demo resourceVersion: "83200" selfLink: /api/v1/namespaces/demo/pods/alpine2 uid: f13d38b6-ec13-444f-a85c-60f8959e1149 spec:

Expected behavior

I would expect the service account not be mounted.

Logs / console output / screenshots / affected lines of code

Environment

dacappo commented 5 years ago

Just tried, but cannot reproduce.

Did you use the prod or test installation/container?

When querying for the default ServiceAccount in Namespace demo the settings are applied correctly in my case:

apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
  annotations:
    karydia.gardener.cloud/automountServiceAccountToken.internal: config/change-default

As a result, I don't see any mounted directories.

dacappo commented 5 years ago

Took a look into your cluster amy4 and the demo namespace's default ServiceAccount is missing the according annotation. When creating new namespaces e.g. demo2 and demo3 behavior is as expected and no service tokens are mounted. Is it possible, that the demo ns was created before Karydia was installed?