CODEWITHSUNDEEP
kubernetes
Kevin Fox
Kevin Fox

Reputation: 41

container disable service account

I have some containers that will be runnin users code in them. In order to strengthen security, I want to prevent them from having access to kubernetes api via the service account mechanism, but don't want to turn it off globally. The documentation says you can switch the service account name but only to another valid name. Are there alternatives that I missed? Can you restrict the account to have 0 permissions? Can you overmount the volume with a different one thats empty? Any other ideas?

Upvotes: 4

Views: 2808

Answers (3)

Rajiv Makhijani
Rajiv Makhijani

Reputation: 3651

In Kubernetes 1.6+, you can disable service account mounting on a Pod:

apiVersion: v1
kind: Pod
metadata:
  name: my-pod
spec:
  automountServiceAccountToken: false
  ...

See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/

Upvotes: 6

Jordan Liggitt
Jordan Liggitt

Reputation: 18161

Service accounts only authenticate to the API, they don't inherently have authorization to perform any read or write API actions.

If you want to secure your cluster, run with an authorization mode other than AlwaysAllow (which gives any authenticated API user complete read/write access), and selectively grant permissions to certain service accounts or namespaces

Upvotes: 3

CJ Cullen
CJ Cullen

Reputation: 5662

The easiest hack is to mount an emptyDir over the location that the serviceAccount secret would have been mounted. Something like:

containers:
- name: running-user-code
  image: something-i-dont-trust
  volumeMounts:
  - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
    name: no-api-access-please
    readOnly: true
volumes:
- name: no-api-access-please
  emptyDir: {}

There is more discussion in Kubernetes Issue #16779 on potential solutions (and that's where I stole the emptyDir example from).

Upvotes: 5

Related Questions