Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use least privilege service account for the runtime pod #403

Merged
merged 3 commits into from
Sep 13, 2023
Merged

Use least privilege service account for the runtime pod #403

merged 3 commits into from
Sep 13, 2023

Conversation

nicoloboschi
Copy link
Member

At the moment, the runtime pod uses a service account which is able to manipulate configmaps & other resources in the tenant namespace. This is not needed and very dangerous since an application could load a k8s client on behalf of it.

Changes:

  • We create another service account for the runtime pods, which is not bound to any role
  • In the control plane we accepts service account based on the origin namespace and not the service account
  • Added tests on the current OIDC flow
  • Added flag to disable k8s authentication. This is because in the API gateway JWT auth there's no need to authenticate k8s service accounts

Follow-up work:

  • Ensure service pods will only have access to download the code - needs to introduce roles on the control plane

eolivelli
eolivelli approved these changes Sep 13, 2023
View reviewed changes
Copy link
Member

@eolivelli eolivelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@nicoloboschi nicoloboschi merged commit 13ffe1f into main Sep 13, 2023
8 checks passed
nicoloboschi added a commit to LangStream/charts that referenced this pull request Sep 13, 2023
@nicoloboschi
include application.security.token.kubernetes-namespace-prefix in con…
0817877 
…trol plane configmap

related to LangStream/langstream#403
@cbornet cbornet deleted the less-privilege-runtime branch September 26, 2023 23:46
benfrank241 pushed a commit to vectorize-io/langstream that referenced this pull request May 2, 2024
@nicoloboschi
Use least privilege service account for the runtime pod (LangStream#403)
b603580
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eolivelli eolivelli eolivelli approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@nicoloboschi @eolivelli