update manifests to avoid vulnerability

Kong · Jun 15, 2022 · 9421432 · 9421432
1 parent cf252b3
commit 9421432
Show file tree

Hide file tree

Showing 8 changed files with 116 additions and 1 deletion.
diff --git a/config/base/kong-ingress-dbless.yaml b/config/base/kong-ingress-dbless.yaml
@@ -20,6 +20,16 @@ spec:
         app: ingress-kong
     spec:
       serviceAccountName: kong-serviceaccount
+      automountServiceAccountToken: false
+      volumes:
+      - name: kong-serviceaccount-token
+        secret:
+          secretName: kong-serviceaccount-token
+          items:
+          - key: token
+            path: token
+          - key: ca.crt
+            path: ca.crt
       containers:
       - name: proxy
         image: kong-placeholder:placeholder # This is replaced by the config/image.yaml component
@@ -131,3 +141,8 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           failureThreshold: 3
+        volumeMounts:
+        - name: kong-serviceaccount-token
+          mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          readOnly: true
+
diff --git a/config/base/kustomization.yaml b/config/base/kustomization.yaml
@@ -4,6 +4,7 @@ resources:
 - ../crd
 - ../rbac
 - ingressclass.yaml
+- secret-sa-token.yaml
 - service.yaml
 - serviceaccount.yaml
 - validation-service.yaml

diff --git a/config/base/namespace.yaml b/config/base/namespace.yaml
@@ -3,4 +3,3 @@ apiVersion: v1
 kind: Namespace
 metadata:
   name: kong
-
diff --git a/config/base/secret-sa-token.yaml b/config/base/secret-sa-token.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kong-serviceaccount-token
+  namespace: kong
+  annotations:
+    kubernetes.io/service-account.name: kong-serviceaccount
+type: kubernetes.io/service-account-token
diff --git a/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml b/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml
@@ -1392,6 +1392,15 @@ subjects:
   namespace: kong
 ---
 apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: kong-serviceaccount
+  name: kong-serviceaccount-token
+  namespace: kong
+type: kubernetes.io/service-account-token
+---
+apiVersion: v1
 kind: Service
 metadata:
   annotations:
@@ -1447,6 +1456,7 @@ spec:
       labels:
         app: ingress-kong
     spec:
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: KONG_LICENSE_DATA
@@ -1560,9 +1570,22 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 1
+        volumeMounts:
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kong-serviceaccount-token
+          readOnly: true
       imagePullSecrets:
       - name: kong-enterprise-edition-docker
       serviceAccountName: kong-serviceaccount
+      volumes:
+      - name: kong-serviceaccount-token
+        secret:
+          items:
+          - key: token
+            path: token
+          - key: ca.crt
+            path: ca.crt
+          secretName: kong-serviceaccount-token
 ---
 apiVersion: networking.k8s.io/v1
 kind: IngressClass

diff --git a/deploy/single/all-in-one-dbless.yaml b/deploy/single/all-in-one-dbless.yaml
@@ -1392,6 +1392,15 @@ subjects:
   namespace: kong
 ---
 apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: kong-serviceaccount
+  name: kong-serviceaccount-token
+  namespace: kong
+type: kubernetes.io/service-account-token
+---
+apiVersion: v1
 kind: Service
 metadata:
   annotations:
@@ -1447,6 +1456,7 @@ spec:
       labels:
         app: ingress-kong
     spec:
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: KONG_PROXY_LISTEN
@@ -1555,7 +1565,20 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 1
+        volumeMounts:
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kong-serviceaccount-token
+          readOnly: true
       serviceAccountName: kong-serviceaccount
+      volumes:
+      - name: kong-serviceaccount-token
+        secret:
+          items:
+          - key: token
+            path: token
+          - key: ca.crt
+            path: ca.crt
+          secretName: kong-serviceaccount-token
 ---
 apiVersion: networking.k8s.io/v1
 kind: IngressClass

diff --git a/deploy/single/all-in-one-postgres-enterprise.yaml b/deploy/single/all-in-one-postgres-enterprise.yaml
@@ -1392,6 +1392,15 @@ subjects:
   namespace: kong
 ---
 apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: kong-serviceaccount
+  name: kong-serviceaccount-token
+  namespace: kong
+type: kubernetes.io/service-account-token
+---
+apiVersion: v1
 kind: Service
 metadata:
   name: kong-admin
@@ -1493,6 +1502,7 @@ spec:
       labels:
         app: ingress-kong
     spec:
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: KONG_LICENSE_DATA
@@ -1629,6 +1639,10 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 1
+        volumeMounts:
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kong-serviceaccount-token
+          readOnly: true
       imagePullSecrets:
       - name: kong-enterprise-edition-docker
       initContainers:
@@ -1650,6 +1664,15 @@ spec:
         image: kong/kong-gateway:2.8
         name: wait-for-migrations
       serviceAccountName: kong-serviceaccount
+      volumes:
+      - name: kong-serviceaccount-token
+        secret:
+          items:
+          - key: token
+            path: token
+          - key: ca.crt
+            path: ca.crt
+          secretName: kong-serviceaccount-token
 ---
 apiVersion: apps/v1
 kind: StatefulSet

diff --git a/deploy/single/all-in-one-postgres.yaml b/deploy/single/all-in-one-postgres.yaml
@@ -1392,6 +1392,15 @@ subjects:
   namespace: kong
 ---
 apiVersion: v1
+kind: Secret
+metadata:
+  annotations:
+    kubernetes.io/service-account.name: kong-serviceaccount
+  name: kong-serviceaccount-token
+  namespace: kong
+type: kubernetes.io/service-account-token
+---
+apiVersion: v1
 kind: Service
 metadata:
   annotations:
@@ -1461,6 +1470,7 @@ spec:
       labels:
         app: ingress-kong
     spec:
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: KONG_DATABASE
@@ -1573,6 +1583,10 @@ spec:
           periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 1
+        volumeMounts:
+        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+          name: kong-serviceaccount-token
+          readOnly: true
       initContainers:
       - command:
         - /bin/sh
@@ -1587,6 +1601,15 @@ spec:
         image: kong:2.8
         name: wait-for-migrations
       serviceAccountName: kong-serviceaccount
+      volumes:
+      - name: kong-serviceaccount-token
+        secret:
+          items:
+          - key: token
+            path: token
+          - key: ca.crt
+            path: ca.crt
+          secretName: kong-serviceaccount-token
 ---
 apiVersion: apps/v1
 kind: StatefulSet