Kyverno's default restrict-automount-sa-token policy denies the installation of policy-reporter

[Dentrax]

Shouldn't we set automountServiceAccountToken: "false" in deployment manifest? Any ideas why we set it to true instead?

$ helm install policy-reporter policy-reporter/policy-reporter --set kyvernoPlugin.enabled=true --set ui.enabled=true --set ui.plugins.kyverno=true  -n policy-reporter --create-namespace

Error: INSTALLATION FAILED: admission webhook "validate.kyverno.svc-fail" denied the request:

resource Deployment/policy-reporter/policy-reporter-kyverno-plugin was blocked due to the following policies

restrict-automount-sa-token:
  autogen-validate-automountServiceAccountToken: 'validation error: Auto-mounting
    of Service Account tokens is not allowed. Rule autogen-validate-automountServiceAccountToken
    failed at path /spec/template/spec/automountServiceAccountToken/'

Rule:

spec:
  background: true
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: validate-automountServiceAccountToken
    validate:
      message: Auto-mounting of Service Account tokens is not allowed.
      pattern:
        spec:
          automountServiceAccountToken: "false"
  validationFailureAction: enforce

cc @developer-guy

[Dentrax]

If i set automountServiceAccountToken: "false" in deployment, pod falling back to crash with the following error:

Error: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory

Any ideas how to make it run without setting it true?

[fjogeleit]

The SA is required to get permissions for accessing the K8s API. Thats because it is set to true. There is no really work around for it. Only possible solution could be to add a manual volume and volumeMount instead the automount feature.

[Dentrax]

So it's something we can fix in the deployment manifests? I prefer to handle all that manual stuff in the helm side during installation.

Currently, it's unable to run this project with Kyverno's default policy enforcement, which decreases the UX a bit in the first place.

[fjogeleit]

But you will have the same problem with all tools that access the K8s API in some case, the Policy description also says that the intention is to prevent automount for pods that are not interacting with the K8s API.

Kubernetes automatically mounts ServiceAccount credentials in each Pod.
The ServiceAccount may be assigned roles allowing Pods to access API resources.
Blocking this ability is an extension of the least privilege best practice and should
be followed if Pods do not need to speak to the API server to function.
This policy ensures that mounting of these ServiceAccount tokens is blocked.

Because the SA secret name has a dynamic suffix like policy-reporter-token-vdt6m, the manual mount is not really an option because I don't know the secret name before it is created.

[fjogeleit]

You could add an exclude label and add this label to the policy-reporter pods and other K8s API related tools.

Would it make sense to add some kind of exclusion (e.g. label) to the Kyverno Policy directly @chipzoller @realshuting?

[chipzoller]

Sure, should it exclude by name?

[fjogeleit]

If you want to add a policy-reporter specific exclude I would suggest the label app.kubernetes.io/part-of: policy-reporter. Its currently only added on the deployment but I can create a minor version which also add it on pod level. So we don't need multiple values for the different components.

[chipzoller]

Glad to accept a PR to the policy if one is made.

[fjogeleit]

Thanks @chipzoller . I will open one

[fjogeleit]

I created kyverno/policies#348 which should resolve your issue and the Policy should no longer the Policy Reporter deployment.

[fjogeleit]

The updated Policy has now an exclude filter for Policy Reporter (kyverno/policies#348) which should fix this issue.