取消服务账号自动挂载

漏洞解析

漏洞扫描样例

[control: Automatic mapping of service account] failed 😥
Description: Potential attacker may gain access to a POD and steal its service account token. Therefore, it is recommended to disable automatic mapping of the service account tokens in service account configuration and enable it only for PODs that need to use them.
   Namespace security
      ServiceAccount - ddd-sa
      ServiceAccount - default
Summary - Passed:4   Warning:0   Failed:2   Total:6
Remediation: Only map token to PODs that are really using them. We suggest disabling the automatic mounting of service account tokens to PODs at the service account level, by specifying the securityContext.readOnlyRootFilesystem field to true,  and explicitly enabling the map for the PODs which are using it at the POD spec level.

> 描述: 潜在的攻击者可能通过获得`Pod`的访问权并窃取其服务帐户令牌。因此，建议在服务帐户配置中禁用服务帐户令牌的自动映射，只对需要使用它们的`pod`启用它。

## 加固方案

### 为ServiceAccount添加取消自动挂载属性

> 1.取消命名空间下默认服务账号自动挂载

```shell
$ kubectl patch -n security sa default -p '{"automountServiceAccountToken": false}'

2.取消其他服务账号自动挂载权限

方式同上一步骤

$ kubectl patch -n <namespace> sa <serviceAccountName> -p '{"automountServiceAccountToken": false}'

3.从源头取消服务账号自动挂载权限

创建时

$ cat <<EOF | kubectl apply -n security -f -
apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
  name: build-robot
EOF

chart声明时:

prometheus/templates/rbac/server-serviceaccount.yaml

{{- if .Values.server.enabled -}}
{{- if .Values.serviceAccounts.server.create }}
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: false
metadata:
  labels:
    {{- include "prometheus.server.labels" . | nindent 4 }}
  name: {{ template "prometheus.serviceAccountName.server" . }}
{{ include "prometheus.namespace" . | indent 2 }}
  annotations:
{{ toYaml .Values.serviceAccounts.server.annotations | indent 4 }}
{{- end }}
{{- end }}