Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Enhancement]: Add Support for Configuring automountServiceAccountToken #10970

Open
germanattanasio opened this issue Dec 19, 2024 · 3 comments
Open

[Enhancement]: Add Support for Configuring automountServiceAccountToken #10970

germanattanasio opened this issue Dec 19, 2024 · 3 comments
Labels
enhancement needs-triage

Comments

@germanattanasio
Copy link

germanattanasio commented Dec 19, 2024
edited
Loading

Related problem

Currently, it is not possible to set automountServiceAccountToken: false for Kafka and Zookeeper pods or their associated service accounts in Strimzi. This limitation is a blocker for environments with strict security policies, such as those on Azure or other secured clusters, where automounting service account tokens is not permitted by default.
Enforcing automountServiceAccountToken: false is a common security requirement in certain managed environments (e.g., Azure). Other frameworks and tools such as Snyk or ARMO have recently added this vulnerability. Finally existing tools like Cert-manager, Linkerd, and Kubernetes Ingress, allow you to set the value to false and use volume-based configurations for accessing service account tokens.

Here is the picture with the warning for the running pods with automount as true.

image

Suggested solution

  1. Set the automountServiceAccountToken to false for those pods that don't need access to Kubernetes API. This is backward compatible and easy to do.
  2. Allow users to define volume and volumeMount along with automountServiceAccountToken in the CRD or automatically add the volumes if the CRD has the flag as false.

Alternatives

No response

Additional context

Relevant References
@scholzj
Copy link
Member

scholzj commented Dec 19, 2024
edited
Loading

TBH, I'm not sure I follow the motivation. The token is in many cases needed so why should it be mounted separately in a complicated way? The idea to let the users do it just means that there will be a huge support load on us with people who are able to disable some flag but are unable to configure it properly. So I think the first point is relatively feasible, but will affect only few pods. The second point is IMHO not realistic. If you want to use some tooling to check on these things, you need to be able to configure it to know where it is ok and where it is not.

@germanattanasio
Copy link
Author

If we do (1) and disable it where it’s not needed, we would at least move closer to the principle of least privilege. Using volumes instead of the automatic service account could come later.

Which pods actually need access to the Kube API? I imagine the main operator needs the token. Do Kafka or Zookeeper containers need it?

@scholzj
Copy link
Member

scholzj commented Dec 19, 2024
edited
Loading

ZooKeeper is already gone. So pretty much the Kafka Exporter and I guess Cruise Control. Kafka needs it for rack awareness or node port access.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@germanattanasio @scholzj