feat: opt out of service accounts auto mounting tokens (#658) (#661)

# Backport This will backport the following commits from `k8s-22/main` to `k8s-21/main`: - [feat: opt out of service accounts auto mounting tokens (#658)](#658) ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport)
cdk8s-team · Apr 27, 2022 · 31b8586 · 31b8586
1 parent 4aecb6c
commit 31b8586
Show file tree

Hide file tree

Showing 8 changed files with 94 additions and 6 deletions.
diff --git a/src/pod.ts b/src/pod.ts
@@ -14,6 +14,7 @@ export abstract class AbstractPod extends base.Resource {
   public readonly securityContext: PodSecurityContext;
   public readonly dns: PodDns;
   public readonly dockerRegistryAuth?: secret.DockerConfigSecret;
+  public readonly automountServiceAccountToken: boolean;
 
   private readonly _containers: container.Container[] = [];
   private readonly _initContainers: container.Container[] = [];
@@ -28,6 +29,7 @@ export abstract class AbstractPod extends base.Resource {
     this.securityContext = new PodSecurityContext(props.securityContext);
     this.dns = new PodDns(props.dns);
     this.dockerRegistryAuth = props.dockerRegistryAuth;
+    this.automountServiceAccountToken = props.automountServiceAccountToken ?? true;
 
     if (props.containers) {
       props.containers.forEach(c => this.addContainer(c));
@@ -166,6 +168,7 @@ export abstract class AbstractPod extends base.Resource {
       subdomain: dns.subdomain,
       setHostnameAsFqdn: dns.hostnameAsFQDN,
       imagePullSecrets: this.dockerRegistryAuth ? [{ name: this.dockerRegistryAuth.name }] : undefined,
+      automountServiceAccountToken: this.automountServiceAccountToken,
     };
 
   }
@@ -343,8 +346,22 @@ export interface AbstractPodProps extends base.ResourceProps {
    * @default - No auth. Images are assumed to be publicly available.
    */
   readonly dockerRegistryAuth?: secret.DockerConfigSecret;
+
+  /**
+   * Indicates whether a service account token should be automatically mounted.
+   *
+   * @default true
+   * @see https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+   */
+  readonly automountServiceAccountToken?: boolean;
+
 }
 
+/**
+ * Properties for `Pod`.
+ */
+export interface PodProps extends AbstractPodProps {}
+
 /**
  * Pod is a collection of containers that can run on a host. This resource is
  * created by clients and scheduled onto hosts.
@@ -703,8 +720,3 @@ export interface HostAlias {
    */
   readonly ip: string;
 }
-
-/**
- * Properties for `Pod`.
- */
-export interface PodProps extends AbstractPodProps {}
diff --git a/src/service-account.ts b/src/service-account.ts
@@ -28,6 +28,15 @@ export interface ServiceAccountProps {
    * @see https://kubernetes.io/docs/concepts/configuration/secret
    */
   readonly secrets?: secret.ISecret[];
+
+  /**
+   * Indicates whether pods running as this service account
+   * should have an API token automatically mounted. Can be overridden at the pod level.
+   *
+   * @default true
+   * @see https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
+   */
+  readonly automountToken?: boolean;
 }
 
 /**
@@ -59,14 +68,22 @@ export class ServiceAccount extends base.Resource implements IServiceAccount {
 
   private readonly _secrets: secret.ISecret[];
 
+  /**
+   * Whether or not a token is automatically mounted for this
+   * service account.
+   */
+  public readonly automountToken: boolean;
+
   constructor(scope: Construct, id: string, props: ServiceAccountProps = { }) {
     super(scope, id);
 
     this._secrets = props.secrets ?? [];
+    this.automountToken = props.automountToken ?? true;
 
     this.apiObject = new k8s.KubeServiceAccount(this, 'Resource', {
       metadata: props.metadata,
       secrets: Lazy.any({ produce: () => undefinedIfEmpty(this._secrets.map(s => ({ name: s.name }))) }),
+      automountServiceAccountToken: this.automountToken,
     });
   }
 

diff --git a/test/__snapshots__/container.test.ts.snap b/test/__snapshots__/container.test.ts.snap
diff --git a/test/__snapshots__/daemon-set.test.ts.snap b/test/__snapshots__/daemon-set.test.ts.snap
diff --git a/test/__snapshots__/deployment.test.ts.snap b/test/__snapshots__/deployment.test.ts.snap
diff --git a/test/pod.test.ts b/test/pod.test.ts
@@ -492,3 +492,32 @@ test('can configure auth to docker registry', () => {
   expect(spec.imagePullSecrets).toEqual([{ name: auth.name }]);
 
 });
+
+test('auto mounting token defaults to true', () => {
+
+  const chart = Testing.chart();
+  const pod = new kplus.Pod(chart, 'Pod', {
+    containers: [{ image: 'image' }],
+  });
+
+  const spec: k8s.PodSpec = Testing.synth(chart)[0].spec;
+
+  expect(pod.automountServiceAccountToken).toBeTruthy();
+  expect(spec.automountServiceAccountToken).toBeTruthy();
+
+});
+
+test('auto mounting token can be disabled', () => {
+
+  const chart = Testing.chart();
+  const pod = new kplus.Pod(chart, 'Pod', {
+    containers: [{ image: 'image' }],
+    automountServiceAccountToken: false,
+  });
+
+  const spec: k8s.PodSpec = Testing.synth(chart)[0].spec;
+
+  expect(pod.automountServiceAccountToken).toBeFalsy();
+  expect(spec.automountServiceAccountToken).toBeFalsy();
+
+});
diff --git a/test/secret.test.ts b/test/secret.test.ts
@@ -135,6 +135,7 @@ test('Can create a service account token secret', () => {
 Array [
   Object {
     "apiVersion": "v1",
+    "automountServiceAccountToken": true,
     "kind": "ServiceAccount",
     "metadata": Object {
       "name": "test-serviceaccount-c8f15383",

diff --git a/test/service-account.test.ts b/test/service-account.test.ts
@@ -17,13 +17,15 @@ test('minimal definition', () => {
   const chart = Testing.chart();
 
   // WHEN
-  new kplus.ServiceAccount(chart, 'my-service-account');
+  const sa = new kplus.ServiceAccount(chart, 'my-service-account');
 
   // THEN
+  expect(sa.automountToken).toBeTruthy();
   expect(Testing.synth(chart)).toMatchInlineSnapshot(`
     Array [
       Object {
         "apiVersion": "v1",
+        "automountServiceAccountToken": true,
         "kind": "ServiceAccount",
         "metadata": Object {
           "name": "test-my-service-account-c84bb46b",
@@ -51,3 +53,26 @@ test('secrets can be added to the service account', () => {
   expect(manifest[0]?.secrets[0]).toStrictEqual({ name: 'my-secret-1' });
   expect(manifest[0]?.secrets[1]).toStrictEqual({ name: 'my-secret-2' });
 });
+
+test('auto mounting token can be disabled', () => {
+
+  const chart = Testing.chart();
+  const sa = new kplus.ServiceAccount(chart, 'my-service-account', {
+    automountToken: false,
+  });
+
+  expect(sa.automountToken).toBeFalsy();
+  expect(Testing.synth(chart)).toMatchInlineSnapshot(`
+    Array [
+      Object {
+        "apiVersion": "v1",
+        "automountServiceAccountToken": false,
+        "kind": "ServiceAccount",
+        "metadata": Object {
+          "name": "test-my-service-account-c84bb46b",
+        },
+      },
+    ]
+  `);
+
+});