vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add emptyDir volume to builder pods to mask secrets

Browse source 
This adds a empty volume on a tmpfs to builder pods and mounts it over
the directory Kubernetes uses for secrets, which should prevent pods
from having access to the default service account.
This commit is contained in:
Brad Ison 2016-10-05 11:25:27 -04:00
parent 91caa4c55c
commit 779f0f1b54
1 changed files with 22 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
buildman/manager/executor.py
View file

@ -376,6 +376,22 @@ class KubernetesExecutor(BuilderExecutor):
},
},
'spec': {
# This volume is a hack to mask the token for the namespace's
# default service account, which is placed in a file mounted under
# `/var/run/secrets/kubernetes.io/serviceaccount` in all pods.
# There's currently no other way to just disable the service
# account at either the pod or namespace level.
#
# https://github.com/kubernetes/kubernetes/issues/16779
#
'volumes': [
{
'name': 'secrets-mask',
'emptyDir': {
'medium': 'Memory',
},
},
],
'containers': [
{
'name': 'builder',
@ -390,6 +406,12 @@ class KubernetesExecutor(BuilderExecutor):
'resources': {
'requests': container_requests,
},
'volumeMounts': [
{
'name': 'secrets-mask',
'mountPath': '/var/run/secrets/kubernetes.io/serviceaccount',
},
],
},
],
'imagePullSecrets': [{'name': 'builder'}],