From 3429bc77a4fbf461d77c472461c7edd1d9f7252f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Krupa=20=28paulfantom=29?= <pawel@krupa.net.pl>
Date: Fri, 4 Feb 2022 14:08:52 +0100
Subject: [PATCH] disable injecting unnecessary variables allowing access to
k8s API
---
jsonnet/kube-prometheus/components/alertmanager.libsonnet | 1 +
jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet | 2 ++
jsonnet/kube-prometheus/components/grafana.libsonnet | 2 ++
jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet | 1 +
jsonnet/kube-prometheus/components/node-exporter.libsonnet | 2 ++
jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet | 2 ++
.../kube-prometheus/components/prometheus-operator.libsonnet | 1 +
jsonnet/kube-prometheus/components/prometheus.libsonnet | 1 +
8 files changed, 12 insertions(+)
diff --git a/jsonnet/kube-prometheus/components/alertmanager.libsonnet b/jsonnet/kube-prometheus/components/alertmanager.libsonnet
index 4d17c8ab..a2f29e67 100644
--- a/jsonnet/kube-prometheus/components/alertmanager.libsonnet
+++ b/jsonnet/kube-prometheus/components/alertmanager.libsonnet
@@ -121,6 +121,7 @@ function(params) {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: am._metadata,
+ automountServiceAccountToken: false,
},
service: {
diff --git a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
index 8a05beff..162bd9a6 100644
--- a/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/blackbox-exporter.libsonnet
@@ -115,6 +115,7 @@ function(params) {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: bb._metadata,
+ automountServiceAccountToken: false,
},
clusterRole: {
@@ -238,6 +239,7 @@ function(params) {
spec: {
containers: [blackboxExporter, reloader, kubeRbacProxy],
nodeSelector: { 'kubernetes.io/os': 'linux' },
+ automountServiceAccountToken: true,
serviceAccountName: 'blackbox-exporter',
volumes: [{
name: 'config',
diff --git a/jsonnet/kube-prometheus/components/grafana.libsonnet b/jsonnet/kube-prometheus/components/grafana.libsonnet
index 2ba9518c..a89e170e 100644
--- a/jsonnet/kube-prometheus/components/grafana.libsonnet
+++ b/jsonnet/kube-prometheus/components/grafana.libsonnet
@@ -88,10 +88,12 @@ function(params)
// 'allowPrivilegeEscalation: false' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/128 gets merged.
// 'readOnlyRootFilesystem: true' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/129 gets merged.
// 'capabilities: { drop: ['ALL'] }' can be deleted when https://github.com/brancz/kubernetes-grafana/pull/130 gets merged.
+ // FIXME(paulfantom): `automountServiceAccountToken` can be removed after porting to brancz/kuberentes-grafana
deployment+: {
spec+: {
template+: {
spec+: {
+ automountServiceAccountToken: false,
containers: std.map(function(c) c {
securityContext+: {
allowPrivilegeEscalation: false,
diff --git a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
index cd925c0b..c63891ec 100644
--- a/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
+++ b/jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
@@ -129,6 +129,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
},
},
spec+: {
+ automountServiceAccountToken: true,
containers: std.map(function(c) c {
ports:: null,
livenessProbe:: null,
diff --git a/jsonnet/kube-prometheus/components/node-exporter.libsonnet b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
index c9dd2d2f..11ebfbe1 100644
--- a/jsonnet/kube-prometheus/components/node-exporter.libsonnet
+++ b/jsonnet/kube-prometheus/components/node-exporter.libsonnet
@@ -114,6 +114,7 @@ function(params) {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: ne._metadata,
+ automountServiceAccountToken: false,
},
service: {
@@ -240,6 +241,7 @@ function(params) {
{ name: 'sys', hostPath: { path: '/sys' } },
{ name: 'root', hostPath: { path: '/' } },
],
+ automountServiceAccountToken: true,
serviceAccountName: ne._config.name,
securityContext: {
runAsUser: 65534,
diff --git a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
index b0cf3a4b..1ac3aced 100644
--- a/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-adapter.libsonnet
@@ -253,6 +253,7 @@ function(params) {
spec: {
containers: [c],
serviceAccountName: $.serviceAccount.metadata.name,
+ automountServiceAccountToken: true,
nodeSelector: { 'kubernetes.io/os': 'linux' },
volumes: [
{ name: 'tmpfs', emptyDir: {} },
@@ -268,6 +269,7 @@ function(params) {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: pa._metadata,
+ automountServiceAccountToken: false,
},
clusterRole: {
diff --git a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
index b6139da1..68ebf94c 100644
--- a/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus-operator.libsonnet
@@ -131,6 +131,7 @@ function(params)
spec+: {
template+: {
spec+: {
+ automountServiceAccountToken: true,
containers: std.map(function(c) c {
securityContext+: {
capabilities: { drop: ['ALL'] },
diff --git a/jsonnet/kube-prometheus/components/prometheus.libsonnet b/jsonnet/kube-prometheus/components/prometheus.libsonnet
index db1e2cd0..c21a65a9 100644
--- a/jsonnet/kube-prometheus/components/prometheus.libsonnet
+++ b/jsonnet/kube-prometheus/components/prometheus.libsonnet
@@ -98,6 +98,7 @@ function(params) {
apiVersion: 'v1',
kind: 'ServiceAccount',
metadata: p._metadata,
+ automountServiceAccountToken: false,
},
service: {
--
GitLab