From 8cb69794267ece73d6bc77c266e30017fdf9dd6d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pawe=C5=82=20Krupa=20=28paulfantom=29?= <pawel@krupa.net.pl>
Date: Fri, 4 Feb 2022 14:10:01 +0100
Subject: [PATCH] docs: add security considerations regarding
automountServiceAccountToken
---
docs/security.md | 13 +++++++++++
kubescape-exceptions.json | 49 +++++++++++++++++++++++++++++++++++++++
2 files changed, 62 insertions(+)
diff --git a/docs/security.md b/docs/security.md
index 0de52547..e881a8bc 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -9,3 +9,16 @@ While we aim for best practices in terms of security by default, due to the natu
* Host Port is set. https://hub.armo.cloud/docs/c-0044 is not relevant since node-exporter is considered as a core platform component running as a DaemonSet.
* Host PID is set to `true`, since node-exporter requires direct access to the host namespace to gather statistics.
* Host Network is set to `true`, since node-exporter requires direct access to the host network to gather statistics.
+* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecar requires connection to kubernetes API server.
+
+#### prometheus-adapter
+* `automountServiceAccountToken` is set to `true` on Pod level as application requires connection to kubernetes API server.
+
+#### blackbox-exporter
+* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecar requires connection to kubernetes API server.
+
+#### kube-state-metrics
+* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecars requires connection to kubernetes API server.
+
+#### prometheus-operator
+* `automountServiceAccountToken` is set to `true` on Pod level as kube-rbac-proxy sidecars requires connection to kubernetes API server.
diff --git a/kubescape-exceptions.json b/kubescape-exceptions.json
index 11ae8186..c260b9f7 100644
--- a/kubescape-exceptions.json
+++ b/kubescape-exceptions.json
@@ -1,4 +1,53 @@
[
+ {
+ "name": "exclude-automountServiceAccountToken-checks",
+ "policyType": "postureExceptionPolicy",
+ "actions": [
+ "alertOnly"
+ ],
+ "resources": [
+ {
+ "designatorType": "Attributes",
+ "attributes": {
+ "kind": "DaemonSet",
+ "name": "node-exporter"
+ }
+ },
+ {
+ "designatorType": "Attributes",
+ "attributes": {
+ "kind": "Deployment",
+ "name": "blackbox-exporter"
+ }
+ },
+ {
+ "designatorType": "Attributes",
+ "attributes": {
+ "kind": "Deployment",
+ "name": "kube-state-metrics"
+ }
+ },
+ {
+ "designatorType": "Attributes",
+ "attributes": {
+ "kind": "Deployment",
+ "name": "prometheus-adapter"
+ }
+ },
+ {
+ "designatorType": "Attributes",
+ "attributes": {
+ "kind": "Deployment",
+ "name": "prometheus-operator"
+ }
+ }
+ ],
+ "posturePolicies": [
+ {
+ "controlName": "Automatic mapping of service account"
+ }
+ ]
+ },
{
"name": "exclude-node-exporter-host-access-checks",
"policyType": "postureExceptionPolicy",
--
GitLab