Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[deckhouse] Add hook to disable default service account token automount #11954

Merged
merged 12 commits into from
Feb 20, 2025
Merged

[deckhouse] Add hook to disable default service account token automount #11954

merged 12 commits into from
Feb 20, 2025
+243 −0

Conversation

YuryLysov
Copy link
Contributor

@YuryLysov YuryLysov commented Feb 10, 2025
edited
Loading

Description

Add hook to disable default ServiceAccount token automount

Why do we need it, and what problem does it solve?

According to CIS Benchmark 5.1.5, automountServiceAccountToken for default sa should be disabled

Checklist

  • The code is covered by unit tests.
  • e2e tests passed.
  • Documentation updated according to the changes.
  • Changes were tested in the Kubernetes cluster manually.

Changelog entries

section: deckhouse
type: feature
summary: Add hook to disable default ServiceAccount token automount.
impact_level: default

@github-actions github-actions bot added the go Pull requests that update Go code label Feb 10, 2025
@YuryLysov YuryLysov added this to the v1.69.0 milestone Feb 10, 2025
@YuryLysov YuryLysov added the e2e/run/gcp Run e2e tests in Google Cloud label Feb 10, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Feb 10, 2025
edited
Loading

🟢 e2e: GCP for deckhouse:feature/disable-default-sa-token-automount succeeded in 29m55s.

Workflow details

GCP-WithoutNAT-Containerd-1.29 - Connection string: ssh user@34.159.96.201

🟢 e2e: GCP, Containerd, Kubernetes 1.29 succeeded in 29m14s.

@github-actions github-actions bot removed the e2e/run/gcp Run e2e tests in Google Cloud label Feb 10, 2025
@YuryLysov YuryLysov changed the title Add hook [deckhouse] Add hook to disable default service account token automount Feb 10, 2025
@YuryLysov YuryLysov added the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Feb 10, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Feb 10, 2025
edited
Loading

🟢 e2e: Yandex.Cloud for deckhouse:feature/disable-default-sa-token-automount succeeded in 35m26s.

Workflow details

Yandex.Cloud-WithoutNAT-Containerd-1.29 - Connection string: ssh redos@89.169.152.199

🟢 e2e: Yandex.Cloud, Containerd, Kubernetes 1.29 succeeded in 34m43s.

@github-actions github-actions bot removed the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Feb 10, 2025
@YuryLysov YuryLysov marked this pull request as ready for review February 10, 2025 10:44
@YuryLysov YuryLysov requested a review from miklezzzz February 10, 2025 15:09
@YuryLysov YuryLysov force-pushed the feature/disable-default-sa-token-automount branch from 48c7da0 to 81e8b03 Compare February 11, 2025 06:24
@yalosev yalosev added the e2e/run/aws Run e2e tests in AWS label Feb 20, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Feb 20, 2025
edited
Loading

🔴 e2e: AWS for deckhouse:feature/disable-default-sa-token-automount failed in 5m49s.

E2e for aws WithoutNAT;containerd;1.30 was failed. Use:
ssh -i ~/.ssh/e2e-id-rsa ec2-user@3.123.137.65 - connect for debugging;

/e2e/abort aws;WithoutNAT;containerd;1.30 13435897249 13435897249-1-con-1-30 /sys/deckhouse-oss/install:pr11954 ec2-user@3.123.137.65 - for abort failed cluster

Workflow details (1 job failed)

AWS-WithoutNAT-Containerd-1.30 - Connection string: ssh ec2-user@3.123.137.65

🔴 e2e: AWS, Containerd, Kubernetes 1.30 failed in 5m10s.

@github-actions github-actions bot removed the e2e/run/aws Run e2e tests in AWS label Feb 20, 2025
@deckhouse-BOaTswain deckhouse-BOaTswain added the e2e/cluster/failed Pull request contains failed e2e cluster label Feb 20, 2025
@yalosev
Copy link
Member

yalosev commented Feb 20, 2025

/e2e/abort aws;WithoutNAT;containerd;1.30 13435897249 13435897249-1-con-1-30 /sys/deckhouse-oss/install:pr11954 ec2-user@3.123.137.65

@yalosev yalosev added the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Feb 20, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Feb 20, 2025
edited
Loading

🟢 destroy cluster: AWS for refs/heads/main succeeded in 6m9s.

Workflow details

🟢 destroy cluster: AWS, Containerd, Kubernetes 1.30 succeeded in 5m46s.

@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Feb 20, 2025
edited
Loading

🔴 e2e: Yandex.Cloud for deckhouse:feature/disable-default-sa-token-automount failed in 5m29s.

E2e for yandex-cloud WithoutNAT;containerd;1.30 was failed. Use:
ssh -i ~/.ssh/e2e-id-rsa redos@84.252.129.162 - connect for debugging;

/e2e/abort yandex-cloud;WithoutNAT;containerd;1.30 13436805652 13436805652-1-con-1-30 /sys/deckhouse-oss/install:pr11954 redos@84.252.129.162 - for abort failed cluster

Workflow details (1 job failed)

Yandex.Cloud-WithoutNAT-Containerd-1.30 - Connection string: ssh redos@84.252.129.162

🔴 e2e: Yandex.Cloud, Containerd, Kubernetes 1.30 failed in 4m44s.

@github-actions github-actions bot removed the e2e/run/yandex-cloud Run e2e tests in Yandex Cloud label Feb 20, 2025
@deckhouse-BOaTswain deckhouse-BOaTswain removed the e2e/cluster/failed Pull request contains failed e2e cluster label Feb 20, 2025
@YuryLysov
Add hook
f233554 
Signed-off-by: YuryLysov <yuriy.lysov@flant.com>
@YuryLysov
Update tests
e365210 
Signed-off-by: YuryLysov <yuriy.lysov@flant.com>
@YuryLysov
Fix test
fbcff25 
Signed-off-by: YuryLysov <yuriy.lysov@flant.com>
@YuryLysov
Fix test
7a1aade 
Signed-off-by: YuryLysov <yuriy.lysov@flant.com>
@YuryLysov
Fix hook
ead79f2 
Signed-off-by: YuryLysov <yuriy.lysov@flant.com>
@YuryLysov
Fix hook
b93b63c 
Signed-off-by: YuryLysov <yuriy.lysov@flant.com>
@YuryLysov
Remove test
83b9cc0 
Signed-off-by: YuryLysov <yuriy.lysov@flant.com>
@YuryLysov
Fix test
66f8a51 
Signed-off-by: YuryLysov <yuriy.lysov@flant.com>
@YuryLysov
Refactoring
79d1525 
Signed-off-by: YuryLysov <yuriy.lysov@flant.com>
@YuryLysov
Add additional tests
1d72fbe 
Signed-off-by: YuryLysov <yuriy.lysov@flant.com>
@YuryLysov
Disable some tests
071b028 
Signed-off-by: YuryLysov <yuriy.lysov@flant.com>
@YuryLysov
Move automountPatch to vars
3920ec5 
Signed-off-by: YuryLysov <yuriy.lysov@flant.com>
@YuryLysov YuryLysov force-pushed the feature/disable-default-sa-token-automount branch from 9f6c0d1 to 3920ec5 Compare February 20, 2025 13:59
@YuryLysov
Copy link
Contributor Author

/e2e/abort yandex-cloud;WithoutNAT;containerd;1.30 13436805652 13436805652-1-con-1-30 /sys/deckhouse-oss/install:pr11954 redos@84.252.129.162

@YuryLysov YuryLysov added the e2e/run/gcp Run e2e tests in Google Cloud label Feb 20, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Feb 20, 2025
edited
Loading

🟢 destroy cluster: Yandex.Cloud for refs/heads/main succeeded in 6m16s.

Workflow details

🟢 destroy cluster: Yandex.Cloud, Containerd, Kubernetes 1.30 succeeded in 5m53s.

@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Feb 20, 2025
edited
Loading

🟢 e2e: GCP for deckhouse:feature/disable-default-sa-token-automount succeeded in 40m3s.

Workflow details

GCP-WithoutNAT-Containerd-1.30 - Connection string: ssh user@34.159.69.69

🟢 e2e: GCP, Containerd, Kubernetes 1.30 succeeded in 39m27s.

@github-actions github-actions bot removed the e2e/run/gcp Run e2e tests in Google Cloud label Feb 20, 2025
@YuryLysov YuryLysov added the e2e/run/aws Run e2e tests in AWS label Feb 20, 2025
@deckhouse-BOaTswain
Copy link
Collaborator

deckhouse-BOaTswain commented Feb 20, 2025
edited
Loading

🟢 e2e: AWS for deckhouse:feature/disable-default-sa-token-automount succeeded in 32m9s.

Workflow details

AWS-WithoutNAT-Containerd-1.30 - Connection string: ssh ec2-user@18.195.53.32

🟢 e2e: AWS, Containerd, Kubernetes 1.30 succeeded in 31m28s.

@github-actions github-actions bot removed the e2e/run/aws Run e2e tests in AWS label Feb 20, 2025
@yalosev yalosev merged commit b2e60c1 into main Feb 20, 2025
56 checks passed
@yalosev yalosev deleted the feature/disable-default-sa-token-automount branch February 20, 2025 18:11
@deckhouse-BOaTswain deckhouse-BOaTswain mentioned this pull request Feb 20, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yalosev yalosev yalosev approved these changes

@ldmonster ldmonster ldmonster approved these changes

@miklezzzz miklezzzz miklezzzz approved these changes

Assignees

@YuryLysov YuryLysov

Labels
go Pull requests that update Go code
Projects
None yet
Milestone
v1.69.0
Development

Successfully merging this pull request may close these issues.
5 participants
@YuryLysov @deckhouse-BOaTswain @yalosev @ldmonster @miklezzzz