Remove serviceaccount for game server container

This mounts an emptydir over the service account token that is automatically mounted in the container that runs the game server binary. Since this is exposed to the outside world, removing the serviceaccount token removes authentication against the rest of the Kubernetes cluster if it ever gets compromised. Closes googleforgames#150
markmandel · Mar 7, 2019 · 44142cf · 44142cf
1 parent 9bdaba0
commit 44142cf
Show file tree

Hide file tree

Showing 4 changed files with 64 additions and 55 deletions.
diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -52,24 +52,25 @@ import (
 )
 
 const (
-	enableStackdriverMetricsFlag = "stackdriver-exporter"
-	enablePrometheusMetricsFlag  = "prometheus-exporter"
-	projectIDFlag                = "gcp-project-id"
-	sidecarImageFlag             = "sidecar-image"
-	sidecarCPURequestFlag        = "sidecar-cpu-request"
-	sidecarCPULimitFlag          = "sidecar-cpu-limit"
-	pullSidecarFlag              = "always-pull-sidecar"
-	minPortFlag                  = "min-port"
-	maxPortFlag                  = "max-port"
-	certFileFlag                 = "cert-file"
-	keyFileFlag                  = "key-file"
-	numWorkersFlag               = "num-workers"
-	apiServerSustainedQPSFlag    = "api-server-qps"
-	apiServerBurstQPSFlag        = "api-server-qps-burst"
-	logDirFlag                   = "log-dir"
-	logSizeLimitMBFlag           = "log-size-limit-mb"
-	kubeconfigFlag               = "kubeconfig"
-	defaultResync                = 30 * time.Second
+	enableStackdriverMetricsFlag                 = "stackdriver-exporter"
+	enablePrometheusMetricsFlag                  = "prometheus-exporter"
+	projectIDFlag                                = "gcp-project-id"
+	sidecarImageFlag                             = "sidecar-image"
+	sidecarCPURequestFlag                        = "sidecar-cpu-request"
+	sidecarCPULimitFlag                          = "sidecar-cpu-limit"
+	pullSidecarFlag                              = "always-pull-sidecar"
+	minPortFlag                                  = "min-port"
+	maxPortFlag                                  = "max-port"
+	certFileFlag                                 = "cert-file"
+	keyFileFlag                                  = "key-file"
+	numWorkersFlag                               = "num-workers"
+	apiServerSustainedQPSFlag                    = "api-server-qps"
+	apiServerBurstQPSFlag                        = "api-server-qps-burst"
+	logDirFlag                                   = "log-dir"
+	logSizeLimitMBFlag                           = "log-size-limit-mb"
+	disableGameServerContainerServiceAccountFlag = "disable-gameserver-service-account"
+	kubeconfigFlag                               = "kubeconfig"
+	defaultResync                                = 30 * time.Second
 	// topNGSForAllocation is used by the GameServerAllocation controller
 	// to reduce the contention while allocating gameservers.
 	topNGSForAllocation = 100
@@ -183,7 +184,7 @@ func main() {
 
 	gsController := gameservers.NewController(wh, health,
 		ctlConf.MinPort, ctlConf.MaxPort, ctlConf.SidecarImage, ctlConf.AlwaysPullSidecar,
-		ctlConf.SidecarCPURequest, ctlConf.SidecarCPULimit,
+		ctlConf.SidecarCPURequest, ctlConf.SidecarCPULimit, ctlConf.DisableGameServerContainerServiceAccount,
 		kubeClient, kubeInformerFactory, extClient, agonesClient, agonesInformerFactory)
 	gsSetController := gameserversets.NewController(wh, health,
 		kubeClient, extClient, agonesClient, agonesInformerFactory)
@@ -236,6 +237,7 @@ func parseEnvFlags() config {
 	viper.SetDefault(apiServerBurstQPSFlag, 200)
 	viper.SetDefault(logDirFlag, "")
 	viper.SetDefault(logSizeLimitMBFlag, 10000) // 10 GB, will be split into 100 MB chunks
+	viper.SetDefault(disableGameServerContainerServiceAccountFlag, true)
 
 	pflag.String(sidecarImageFlag, viper.GetString(sidecarImageFlag), "Flag to overwrite the GameServer sidecar image that is used. Can also use SIDECAR env variable")
 	pflag.String(sidecarCPULimitFlag, viper.GetString(sidecarCPULimitFlag), "Flag to overwrite the GameServer sidecar container's cpu limit. Can also use SIDECAR_CPU_LIMIT env variable")
@@ -254,6 +256,8 @@ func parseEnvFlags() config {
 	pflag.Int32(apiServerBurstQPSFlag, 200, "Maximum burst queries per second to send to the API server")
 	pflag.String(logDirFlag, viper.GetString(logDirFlag), "If set, store logs in a given directory.")
 	pflag.Int32(logSizeLimitMBFlag, 1000, "Log file size limit in MB")
+	pflag.Bool(disableGameServerContainerServiceAccountFlag, viper.GetBool(disableGameServerContainerServiceAccountFlag), "When enabled, mounts an `emptyDir` over the service account token in the GameServer container, to stop game server processes from accessing Kubernetes. Can also use env DISABLE_GAMESERVER_SERVICE_ACCOUNT")
+
 	pflag.Parse()
 
 	viper.SetEnvKeyReplacer(strings.NewReplacer("-", "_"))
@@ -275,6 +279,7 @@ func parseEnvFlags() config {
 	runtime.Must(viper.BindEnv(apiServerBurstQPSFlag))
 	runtime.Must(viper.BindEnv(logDirFlag))
 	runtime.Must(viper.BindEnv(logSizeLimitMBFlag))
+	runtime.Must(viper.BindEnv(disableGameServerContainerServiceAccountFlag))
 
 	request, err := resource.ParseQuantity(viper.GetString(sidecarCPURequestFlag))
 	if err != nil {
@@ -287,45 +292,47 @@ func parseEnvFlags() config {
 	}
 
 	return config{
-		MinPort:               int32(viper.GetInt64(minPortFlag)),
-		MaxPort:               int32(viper.GetInt64(maxPortFlag)),
-		SidecarImage:          viper.GetString(sidecarImageFlag),
-		SidecarCPURequest:     request,
-		SidecarCPULimit:       limit,
-		AlwaysPullSidecar:     viper.GetBool(pullSidecarFlag),
-		KeyFile:               viper.GetString(keyFileFlag),
-		CertFile:              viper.GetString(certFileFlag),
-		KubeConfig:            viper.GetString(kubeconfigFlag),
-		PrometheusMetrics:     viper.GetBool(enablePrometheusMetricsFlag),
-		Stackdriver:           viper.GetBool(enableStackdriverMetricsFlag),
-		GCPProjectID:          viper.GetString(projectIDFlag),
-		NumWorkers:            int(viper.GetInt32(numWorkersFlag)),
-		APIServerSustainedQPS: int(viper.GetInt32(apiServerSustainedQPSFlag)),
-		APIServerBurstQPS:     int(viper.GetInt32(apiServerBurstQPSFlag)),
-		LogDir:                viper.GetString(logDirFlag),
-		LogSizeLimitMB:        int(viper.GetInt32(logSizeLimitMBFlag)),
+		MinPort:                                  int32(viper.GetInt64(minPortFlag)),
+		MaxPort:                                  int32(viper.GetInt64(maxPortFlag)),
+		SidecarImage:                             viper.GetString(sidecarImageFlag),
+		SidecarCPURequest:                        request,
+		SidecarCPULimit:                          limit,
+		AlwaysPullSidecar:                        viper.GetBool(pullSidecarFlag),
+		KeyFile:                                  viper.GetString(keyFileFlag),
+		CertFile:                                 viper.GetString(certFileFlag),
+		KubeConfig:                               viper.GetString(kubeconfigFlag),
+		PrometheusMetrics:                        viper.GetBool(enablePrometheusMetricsFlag),
+		Stackdriver:                              viper.GetBool(enableStackdriverMetricsFlag),
+		GCPProjectID:                             viper.GetString(projectIDFlag),
+		NumWorkers:                               int(viper.GetInt32(numWorkersFlag)),
+		APIServerSustainedQPS:                    int(viper.GetInt32(apiServerSustainedQPSFlag)),
+		APIServerBurstQPS:                        int(viper.GetInt32(apiServerBurstQPSFlag)),
+		LogDir:                                   viper.GetString(logDirFlag),
+		LogSizeLimitMB:                           int(viper.GetInt32(logSizeLimitMBFlag)),
+		DisableGameServerContainerServiceAccount: viper.GetBool(disableGameServerContainerServiceAccountFlag),
 	}
 }
 
 // config stores all required configuration to create a game server controller.
 type config struct {
-	MinPort               int32
-	MaxPort               int32
-	SidecarImage          string
-	SidecarCPURequest     resource.Quantity
-	SidecarCPULimit       resource.Quantity
-	AlwaysPullSidecar     bool
-	PrometheusMetrics     bool
-	Stackdriver           bool
-	KeyFile               string
-	CertFile              string
-	KubeConfig            string
-	GCPProjectID          string
-	NumWorkers            int
-	APIServerSustainedQPS int
-	APIServerBurstQPS     int
-	LogDir                string
-	LogSizeLimitMB        int
+	MinPort                                  int32
+	MaxPort                                  int32
+	SidecarImage                             string
+	SidecarCPURequest                        resource.Quantity
+	SidecarCPULimit                          resource.Quantity
+	AlwaysPullSidecar                        bool
+	PrometheusMetrics                        bool
+	Stackdriver                              bool
+	DisableGameServerContainerServiceAccount bool
+	KeyFile                                  string
+	CertFile                                 string
+	KubeConfig                               string
+	GCPProjectID                             string
+	NumWorkers                               int
+	APIServerSustainedQPS                    int
+	APIServerBurstQPS                        int
+	LogDir                                   string
+	LogSizeLimitMB                           int
 }
 
 // validate ensures the ctlConfig data is valid.

diff --git a/install/helm/agones/templates/controller.yaml b/install/helm/agones/templates/controller.yaml
@@ -98,6 +98,8 @@ spec:
           value: {{ .Values.agones.controller.apiServerQPS | quote }}
         - name: API_SERVER_QPS_BURST
           value: {{ .Values.agones.controller.apiServerQPSBurst | quote }}
+        - name: DISABLE_GAMESERVER_SERVICE_ACCOUNT
+          value: {{ .Values.gameservers.disableGameServerContainerServiceAccount | quote }}
 {{- if .Values.agones.controller.persistentLogs }}
         - name: LOG_DIR
           value: "/home/agones/logs"

diff --git a/pkg/gameservers/controller.go b/pkg/gameservers/controller.go
@@ -63,9 +63,9 @@ type Controller struct {
 	baseLogger                               *logrus.Entry
 	sidecarImage                             string
 	alwaysPullSidecarImage                   bool
+	disableGameServerContainerServiceAccount bool
 	sidecarCPURequest                        resource.Quantity
 	sidecarCPULimit                          resource.Quantity
-	disableGameServerContainerServiceAccount bool
 	crdGetter                                v1beta1.CustomResourceDefinitionInterface
 	podGetter                                typedcorev1.PodsGetter
 	podLister                                corelisterv1.PodLister

diff --git a/site/content/en/docs/Installation/helm.md b/site/content/en/docs/Installation/helm.md
@@ -166,7 +166,7 @@ The following tables lists the configurable parameters of the Agones chart and t
 | --------------------------------------------------- | ----------------------------------------------------------------------------------------------- | ---------------------- |
 | `agones.controller.persistentLogs`                  | Store Agones controller logs in a temporary volume attached to a container for debugging        | `true`                 |
 | `agones.controller.persistentLogsSizeLimitMB`       | Maximum total size of all Agones container logs in MB                                           | `10000`                |
-| `gameservers.disableGameServerContainerServiceAccount | When enabled, mounts an `emptyDir` over the service account token in the GameServer container, to stop game server processes from accessing Kubernetes | `true` |
+| `gameservers.disableGameServerContainerServiceAccount` | When enabled, mounts an `emptyDir` over the service account token in the GameServer container, to stop game server processes from accessing Kubernetes | `true` |
 
 {{% /feature %}}