search

lockc-project / lockc

Making containers more secure with eBPF and Linux Security Modules (LSM)
https://lockc-project.github.io/
Apache License 2.0
218 stars 19 forks source link

Block access to the ServiceAccount token that is available inside of each Pod #97

Closed flavio closed 2 years ago

flavio commented 2 years ago

Each Pod scheduled by Kubernetes has the following contents under /var/run/secrets/kubernetes.io:

bash-5.0# ls -l /var/run/secrets/kubernetes.io/serviceaccount/
total 0
lrwxrwxrwx    1 root     root            13 Nov 13 07:22 ca.crt -> ..data/ca.crt
lrwxrwxrwx    1 root     root            16 Nov 13 07:22 namespace -> ..data/namespace
lrwxrwxrwx    1 root     root            12 Nov 13 07:22 token -> ..data/token

The majority of the containerized workloads do not need to interact with the Kubernetes API server. Hence they don't need to read the token that is associated with the ServiceAccount used to create the Pod.

On the other hand, an attacker can use this token to perform nasty operations against the API server and potentially find a way to escape (for example: start a privileged Pod in the same Namespace).

mjura commented 2 years ago

This change was addressed in https://github.com/rancher-sandbox/lockc/pull/103

vadorovsky commented 2 years ago

This change was addressed in #103

Next time you can reference issues by writing Fixes: #103 in your commit message and pull request. After doing so, if the PR gets merged, issue gets closed and moved on the project board without necessity of doing that manually.

vadorovsky commented 2 years ago

It's done.