From 6d7332a6dc8ff8f3bc7d20b26b70878b67f550e3 Mon Sep 17 00:00:00 2001 From: Jorik Jonker Date: Tue, 20 Jul 2021 09:48:53 +0200 Subject: [PATCH] [elasticsearch]: optionally disable SA token automount ES has no direct interaction with the Kubernetes API, and as such, it does not need a mounted service account token in its pods. By disabling this automount, potential attackers cannot access the API on behalf/through the Pod. This commit allows users to opt out on SA token automount. It leaves the current behaviour unchanged, to avoid breaking things. Signed-off-by: Jorik Jonker --- elasticsearch/README.md | 2 +- elasticsearch/templates/statefulset.yaml | 1 + elasticsearch/tests/elasticsearch_test.py | 26 +++++++++++++++++++++++ elasticsearch/values.yaml | 1 + 4 files changed, 29 insertions(+), 1 deletion(-) diff --git a/elasticsearch/README.md b/elasticsearch/README.md index b4b312647..9999956f7 100644 --- a/elasticsearch/README.md +++ b/elasticsearch/README.md @@ -151,7 +151,7 @@ support multiple versions with minimal changes. | `podSecurityPolicy` | Configuration for create a pod security policy with minimal permissions to run this Helm chart with `create: true`. Also can be used to reference an external pod security policy with `name: "externalPodSecurityPolicy"` | see [values.yaml][] | | `priorityClassName` | The name of the [PriorityClass][]. No default is supplied as the PriorityClass must be created first | `""` | | `protocol` | The protocol that will be used for the readiness [probe][]. Change this to `https` if you have `xpack.security.http.ssl.enabled` set | `http` | -| `rbac` | Configuration for creating a role, role binding and ServiceAccount as part of this Helm chart with `create: true`. Also can be used to reference an external ServiceAccount with `serviceAccountName: "externalServiceAccountName"` | see [values.yaml][] | +| `rbac` | Configuration for creating a role, role binding and ServiceAccount as part of this Helm chart with `create: true`. Also can be used to reference an external ServiceAccount with `serviceAccountName: "externalServiceAccountName"`, or automount the service account token | see [values.yaml][] | | `readinessProbe` | Configuration fields for the readiness [probe][] | see [values.yaml][] | | `replicas` | Kubernetes replica count for the StatefulSet (i.e. how many pods) | `3` | | `resources` | Allows you to set the [resources][] for the StatefulSet | see [values.yaml][] | diff --git a/elasticsearch/templates/statefulset.yaml b/elasticsearch/templates/statefulset.yaml index 1e8c5d1c4..3d4e5015e 100644 --- a/elasticsearch/templates/statefulset.yaml +++ b/elasticsearch/templates/statefulset.yaml @@ -74,6 +74,7 @@ spec: {{- else if not (eq .Values.rbac.serviceAccountName "") }} serviceAccountName: {{ .Values.rbac.serviceAccountName | quote }} {{- end }} + automountServiceAccountToken: {{ .Values.rbac.automountToken }} {{- with .Values.tolerations }} tolerations: {{ toYaml . | indent 6 }} diff --git a/elasticsearch/tests/elasticsearch_test.py b/elasticsearch/tests/elasticsearch_test.py index 768a2aa33..20e2446dc 100755 --- a/elasticsearch/tests/elasticsearch_test.py +++ b/elasticsearch/tests/elasticsearch_test.py @@ -1420,3 +1420,29 @@ def test_network_policy(): ] assert transport["ports"][0]["port"] == 9300 assert pod_selector == {"matchLabels": {"app": "elasticsearch-master",}} + + +def test_default_automount_sa_token(): + config = """ +""" + r = helm_template(config) + assert ( + r["statefulset"][uname]["spec"]["template"]["spec"][ + "automountServiceAccountToken" + ] + == True + ) + + +def test_disable_automount_sa_token(): + config = """ +rbac: + automountToken: false +""" + r = helm_template(config) + assert ( + r["statefulset"][uname]["spec"]["template"]["spec"][ + "automountServiceAccountToken" + ] + == False + ) diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index cb3ff6d81..87945c49c 100755 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -104,6 +104,7 @@ rbac: create: false serviceAccountAnnotations: {} serviceAccountName: "" + automountToken: true podSecurityPolicy: create: false