Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Harden Job Pod Service Account RBAC Settings #1550

Open
ihcsim opened this issue Jul 11, 2022 · 10 comments
Open

Harden Job Pod Service Account RBAC Settings #1550

ihcsim opened this issue Jul 11, 2022 · 10 comments
Labels
enhancement frozen security Security related issues
Projects
Kanister

Comments

@ihcsim
Copy link
Contributor

ihcsim commented Jul 11, 2022

The job pod should be updated to use the namespace default service account if none is specified by the user, following the Kubernetes Job model. By default, the pod should also run with spec.automountServiceAccountToken: false to NOT automatically mounted the service account credentials. Most job pod shouldn't need direct interaction with the Kubernetes API server. When it does, the pod should be using an ephemeral projected ServiceAccountToken.
@ihcsim ihcsim added the security Security related issues label Jul 11, 2022
@github-actions
Copy link
Contributor

Thanks for opening this issue 👍. The team will review it shortly.

If this is a bug report, make sure to include clear instructions how on to reproduce the problem with minimal reproducible examples, where possible. If this is a security report, please review our security policy as outlined in SECURITY.md.

If you haven't already, please take a moment to review our project's Code of Conduct document.

@infraq infraq added this to To Be Triaged in Kanister Jul 11, 2022
@ihcsim ihcsim mentioned this issue Jul 11, 2022
Closed
@github-actions
Copy link
Contributor

This issue is marked as stale due to inactivity. Add a new comment to reactivate it.

@github-actions github-actions bot added the stale label Sep 10, 2022
@ihcsim ihcsim removed the stale label Sep 21, 2022
@Sagar2366
Copy link
Contributor

@ihcsim can I work on this issue ?

@Sagar2366 Sagar2366 mentioned this issue Oct 2, 2022
Closed
10 tasks
@ihcsim
Copy link
Contributor Author

ihcsim commented Oct 3, 2022
edited

@Sagar2366 the code change for this is relatively simple, but a number of example blueprints will need to be updated. E.g., this etcd blueprint assumes that the job pod uses a service account that has permission to run kubectl exec against etcd pods. In this example blueprint, it uses the controller's service account. Making this change will require updating the blueprints to use the podOverride argument, to provide a service account with the appropriate RBAC permissions.

Furthermore, due to its breaking change nature, it isn't something that we can roll out immediately. We will need to give the community sufficient notice before rolling out this change.

Let me know if you are still interested in working on it.

@Sagar2366
Copy link
Contributor

@ihcsim thank you for the inputs.
I am still ramping up and trying to understand the project, so please guide me along the way as you're doing.
Yes, I am still interested to work on it.

@ihcsim
Copy link
Contributor Author

ihcsim commented Oct 4, 2022
edited

@Sagar2366 Thanks again for your interest. @pavannd1 and I will go over how to handle this breaking change. I do think it's important that this gets fixed. Will keep you posted.

Meanwhile, you can try out Kanister on your local cluster following the installation instructions here. Then follow this short tutorial to see Kanister in action. (The tutorial uses a KubeExec Function, you may wanna try with KubeTask since it's directly relevant to this issue.)

@Sagar2366
Copy link
Contributor

Sure @ihcsim.

@pavannd1
Copy link
Contributor

pavannd1 commented Nov 9, 2022

To be discussed internally with downstream users.

@github-actions
Copy link
Contributor

github-actions bot commented Jan 9, 2023

This issue is marked as stale due to inactivity. Add a new comment to reactivate it.

@github-actions github-actions bot added the stale label Jan 9, 2023
@github-actions
Copy link
Contributor

github-actions bot commented Feb 9, 2023

This issue is closed due to inactivity. Feel free to reopen it, if it's still relevant.

@github-actions github-actions bot added the rotten label Feb 9, 2023
@github-actions github-actions bot closed this as completed Feb 9, 2023
Kanister automation moved this from To Be Triaged to Done Feb 9, 2023
@pavannd1 pavannd1 moved this from Done to Qualified Backlog in Kanister Jun 13, 2023
@pavannd1 pavannd1 reopened this Jun 13, 2023
Kanister automation moved this from Qualified Backlog to To Be Triaged Jun 13, 2023
@pavannd1 pavannd1 removed the triage label Jun 13, 2023
@pavannd1 pavannd1 moved this from To Be Triaged to Qualified Backlog in Kanister Jun 13, 2023
@hairyhum hairyhum mentioned this issue Aug 20, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement frozen security Security related issues
Projects
Kanister
Qualified Backlog
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Harden Job Pod Service Account RBAC Settings Sagar2366/kanister
4 participants
@ihcsim @mlavi @pavannd1 @Sagar2366