Comments (8)
wazir-ahmed
commented on August 15, 2024
1
@daemon1024 We already the feature to create service account policy which allows only certain binaries in the Pod to access the token (based on the observability data from discovery-engine) - Ref.
The only addition I see in what you're saying is.. To also recommend a list of deployments which requires automountServiceAccountToken: false.
Correct me if I'm missing something here.
from kubearmor-client.
daemon1024
commented on August 15, 2024
1
The only addition I see in what you're saying is.. To also recommend a list of deployments which requires automountServiceAccountToken: false.
Right! Not mounting at all is more secure than Blocking access to the mount.
from kubearmor-client.
vishnusomank
commented on August 15, 2024
@nyrahul The SA directories were selected based on the comment by @wazir-ahmed
The actual path k8s injects the SA is /var/run (Ref: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller)
Ideally, applications should only access the /var/run SA path. But in Linux, since it is common to see the symlink /run --> /var/run, the process running in the pod might use the /run SA path.
from kubearmor-client.
daemon1024
commented on August 15, 2024
Quick suggestion,
Since we have runtime visibility, why don't we do this the k8s way,
We suggest users to set automount for Service account tokens to false. And tell them in what pods they need to mount it. In addition to that tell them which binaries in the Pod need access to that. (KubeArmor policy)
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
WDYT?
from kubearmor-client.
vishnusomank
commented on August 15, 2024
Rather than asking the user to set automount to false, If we recommend a KubeArmor policy to deny/allow access to the serviceaccount based on runtime data (current scenario) will be better right?
from kubearmor-client.
vishnusomank
commented on August 15, 2024
@wazir-ahmed yes it is generated by recommend.createRuntimePolicy() @nyrahul asked to update the logic to show a deny serviceaccount policy if no process is accessing it
from kubearmor-client.
wazir-ahmed
commented on August 15, 2024
@wazir-ahmed yes it is generated by
recommend.createRuntimePolicy()@nyrahul asked to update the logic to show a denyserviceaccountpolicy if no process is accessing it
@vishnusomank Yeah. I just checked the latest code.
from kubearmor-client.
vishnusomank
commented on August 15, 2024
The only addition I see in what you're saying is.. To also recommend a list of deployments which requires automountServiceAccountToken: false.
Right! Not mounting at all is more secure than Blocking access to the mount.
so it'll be printed as an info to the user rather than a block policy?
from kubearmor-client.
Related Issues (20)
- [feat] Improving Broken-link-check scope HOT 3
- Update Long description for karmor install HOT 3
- `--save` command is broken in karmor profile HOT 2
- karmor probe panic HOT 4
- `karmor install --env=generic --save` should work without kubernetes cluster access HOT 4
- karmor install percentage completion showing more than 100% HOT 4
- update `karmor install` to deploy kubearmor-relay sa and associated rbac policies for kubearmor relay HOT 4
- Running karmor probe on operator installation throws incorrect posture values HOT 7
- Karmor probe not showing armored pods
- add instructions to verify the tarballs using cosign HOT 3
- Install karmor without `sudo` HOT 4
- fix scorecard github action HOT 2
- fix renovate go.sum updates HOT 2
- `karmor uninstall` should remove annotations/policies by default HOT 1
- Improve `karmor probe` error handling HOT 1
- JSON output from `karmor logs --json` is not beautified HOT 7
- `karmor sysdump` should contain logs from all pods with `kubearmor-app` label HOT 1
- Show current status of daemonset in `karmor install` HOT 3
- `karmor recommend` doesn't recommend all expected policies with Docker v26 HOT 1
- Replace Docker Client with ORAS to handle interaction with OCI registries like DockerHub HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubearmor-client.