Ephemeral service account tokens for Vault #93
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
lawrencejones
force-pushed
the
lawrence-use-ephemeral-service-account-tokens
branch
4 times, most recently
from
ab886d2
to
3c73e8b
Compare
lawrencejones
commented
Dec 5, 2019
| mountPath: /var/run/secrets/kubernetes.io/vault | ||
| ` | ||
|
|
||
| const annotatedPodYAML = ` |
lawrencejones
force-pushed
the
lawrence-use-ephemeral-service-account-tokens
branch
from
3c73e8b
to
2284e94
Compare
jace-ys
approved these changes
Dec 5, 2019
| serviceAccountName: secret-reader | ||
| restartPolicy: Never | ||
| containers: | ||
| - name: app |
There was a problem hiding this comment.
think this should be print-env to match the YAML above, but this shouldn't affect the test
There was a problem hiding this comment.
Yep good point, I'll change them to match (though I'll go with app in both cases, as that's what we like to use)
lawrencejones
force-pushed
the
lawrence-use-ephemeral-service-account-tokens
branch
from
2284e94
to
5636407
Compare
Kubernetes service account tokens, by default, are not rotated. Our Vault authentication chain requires that Kubernetes pods send their tokens to the Vault server, outside of the Kubernetes cluster. If a token was to be compromised in that exchange, the attacker would be able to impersonate this Kubernetes service account indefinitely. This is a significant security risk. This commit changes our mutating webhook to mount service account credentials using the kubelet projected volume mounts API. This API uses the kubelet to inject ephemeral service account tokens that are rotated periodically into the containers. We can use these tokens to authenticate against Vault, instead of tokens that are never revoked. In addition, we can set an audience for the projected token to be something other than the Kubernetes API server. This would prevent any leaked tokens being used for anything other than authenticating with Vault. While we don't use this at present, as our Vault installation relies on using this token to reflect token review requests back to the API server, we may switch to this in future if we think the security benefit is compelling.
lawrencejones
force-pushed
the
lawrence-use-ephemeral-service-account-tokens
branch
from
5636407
to
babfc14
Compare
This reverts commit e5396f8.
We now only apply the envconsul-injector webhook to namespaces with this label, so we must add it if we want our tests to work.
lawrencejones
deleted the
lawrence-use-ephemeral-service-account-tokens
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Kubernetes service account tokens, by default, are not rotated. Our
Vault authentication chain requires that Kubernetes pods send their
tokens to the Vault server, outside of the Kubernetes cluster.
If a token was to be compromised in that exchange, the attacker would be
able to impersonate this Kubernetes service account indefinitely. This
is a significant security risk.
This commit changes our mutating webhook to mount service account
credentials using the kubelet projected volume mounts API. This API uses
the kubelet to inject ephemeral service account tokens that are rotated
periodically into the containers. We can use these tokens to
authenticate against Vault, instead of tokens that are never revoked.
In addition, we can set an audience for the projected token to be
something other than the Kubernetes API server. This would prevent any
leaked tokens being used for anything other than authenticating with
Vault. While we don't use this at present, as our Vault installation
relies on using this token to reflect token review requests back to the
API server, we may switch to this in future if we think the security
benefit is compelling.