Add emptyDir volume to builder pods to mask secrets
This adds a empty volume on a tmpfs to builder pods and mounts it over the directory Kubernetes uses for secrets, which should prevent pods from having access to the default service account.
This commit is contained in:
Brad Ison
parent
91caa4c55c
commit
779f0f1b54
1 changed files with 22 additions and 0 deletions
|
|
@ -376,6 +376,22 @@ class KubernetesExecutor(BuilderExecutor):
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
'spec': {
|
'spec': {
|
||||||
|
# This volume is a hack to mask the token for the namespace's
|
||||||
|
# default service account, which is placed in a file mounted under
|
||||||
|
# `/var/run/secrets/kubernetes.io/serviceaccount` in all pods.
|
||||||
|
# There's currently no other way to just disable the service
|
||||||
|
# account at either the pod or namespace level.
|
||||||
|
#
|
||||||
|
# https://github.com/kubernetes/kubernetes/issues/16779
|
||||||
|
#
|
||||||
|
'volumes': [
|
||||||
|
{
|
||||||
|
'name': 'secrets-mask',
|
||||||
|
'emptyDir': {
|
||||||
|
'medium': 'Memory',
|
||||||
|
},
|
||||||
|
},
|
||||||
|
],
|
||||||
'containers': [
|
'containers': [
|
||||||
{
|
{
|
||||||
'name': 'builder',
|
'name': 'builder',
|
||||||
|
|
@ -390,6 +406,12 @@ class KubernetesExecutor(BuilderExecutor):
|
||||||
'resources': {
|
'resources': {
|
||||||
'requests': container_requests,
|
'requests': container_requests,
|
||||||
},
|
},
|
||||||
|
'volumeMounts': [
|
||||||
|
{
|
||||||
|
'name': 'secrets-mask',
|
||||||
|
'mountPath': '/var/run/secrets/kubernetes.io/serviceaccount',
|
||||||
|
},
|
||||||
|
],
|
||||||
},
|
},
|
||||||
],
|
],
|
||||||
'imagePullSecrets': [{'name': 'builder'}],
|
'imagePullSecrets': [{'name': 'builder'}],
|
||||||
|
|
|
||||||
Reference in a new issue