I have some containers that will be runnin users code in them. In order to strengthen security, I want to prevent them from having access to kubernetes api via the service account mechanism, but don't want to turn it off globally. The documentation says you can switch the service account name but only to another valid name. Are there alternatives that I missed? Can you restrict the account to have 0 permissions? Can you overmount the volume with a different one thats empty? Any other ideas?
In Kubernetes 1.6+, you can disable service account mounting on a Pod:
apiVersion: v1
kind: Pod
metadata:
name: my-pod
spec:
automountServiceAccountToken: false
...See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
The easiest hack is to mount an emptyDir over the location that the serviceAccount secret would have been mounted. Something like:
containers:
- name: running-user-code
image: something-i-dont-trust
volumeMounts:
- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
name: no-api-access-please
readOnly: true
volumes:
- name: no-api-access-please
emptyDir: {}There is more discussion in Kubernetes Issue #16779 on potential solutions (and that's where I stole the emptyDir example from).
Service accounts only authenticate to the API, they don't inherently have authorization to perform any read or write API actions.
If you want to secure your cluster, run with an authorization mode other than AlwaysAllow (which gives any authenticated API user complete read/write access), and selectively grant permissions to certain service accounts or namespaces