From 9421432c2d9abcb489193656d30e0b835527fa8e Mon Sep 17 00:00:00 2001 From: Yi Tao Date: Mon, 6 Jun 2022 16:26:03 +0800 Subject: [PATCH] update manifests to avoid vulnerability --- config/base/kong-ingress-dbless.yaml | 15 ++++++++++++ config/base/kustomization.yaml | 1 + config/base/namespace.yaml | 1 - config/base/secret-sa-token.yaml | 8 +++++++ .../all-in-one-dbless-k4k8s-enterprise.yaml | 23 +++++++++++++++++++ deploy/single/all-in-one-dbless.yaml | 23 +++++++++++++++++++ .../all-in-one-postgres-enterprise.yaml | 23 +++++++++++++++++++ deploy/single/all-in-one-postgres.yaml | 23 +++++++++++++++++++ 8 files changed, 116 insertions(+), 1 deletion(-) create mode 100644 config/base/secret-sa-token.yaml diff --git a/config/base/kong-ingress-dbless.yaml b/config/base/kong-ingress-dbless.yaml index a6bd77caa8..2d6b6ab5f7 100644 --- a/config/base/kong-ingress-dbless.yaml +++ b/config/base/kong-ingress-dbless.yaml @@ -20,6 +20,16 @@ spec: app: ingress-kong spec: serviceAccountName: kong-serviceaccount + automountServiceAccountToken: false + volumes: + - name: kong-serviceaccount-token + secret: + secretName: kong-serviceaccount-token + items: + - key: token + path: token + - key: ca.crt + path: ca.crt containers: - name: proxy image: kong-placeholder:placeholder # This is replaced by the config/image.yaml component @@ -131,3 +141,8 @@ spec: periodSeconds: 10 successThreshold: 1 failureThreshold: 3 + volumeMounts: + - name: kong-serviceaccount-token + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + diff --git a/config/base/kustomization.yaml b/config/base/kustomization.yaml index 818ae5ee4f..b4154cd0c1 100644 --- a/config/base/kustomization.yaml +++ b/config/base/kustomization.yaml @@ -4,6 +4,7 @@ resources: - ../crd - ../rbac - ingressclass.yaml +- secret-sa-token.yaml - service.yaml - serviceaccount.yaml - validation-service.yaml diff --git a/config/base/namespace.yaml b/config/base/namespace.yaml index 1f2fcfe35b..18dfea24c5 100644 --- a/config/base/namespace.yaml +++ b/config/base/namespace.yaml @@ -3,4 +3,3 @@ apiVersion: v1 kind: Namespace metadata: name: kong - diff --git a/config/base/secret-sa-token.yaml b/config/base/secret-sa-token.yaml new file mode 100644 index 0000000000..2494558efd --- /dev/null +++ b/config/base/secret-sa-token.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: kong-serviceaccount-token + namespace: kong + annotations: + kubernetes.io/service-account.name: kong-serviceaccount +type: kubernetes.io/service-account-token diff --git a/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml b/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml index f829526f40..982e583174 100644 --- a/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml +++ b/deploy/single/all-in-one-dbless-k4k8s-enterprise.yaml @@ -1392,6 +1392,15 @@ subjects: namespace: kong --- apiVersion: v1 +kind: Secret +metadata: + annotations: + kubernetes.io/service-account.name: kong-serviceaccount + name: kong-serviceaccount-token + namespace: kong +type: kubernetes.io/service-account-token +--- +apiVersion: v1 kind: Service metadata: annotations: @@ -1447,6 +1456,7 @@ spec: labels: app: ingress-kong spec: + automountServiceAccountToken: false containers: - env: - name: KONG_LICENSE_DATA @@ -1560,9 +1570,22 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kong-serviceaccount-token + readOnly: true imagePullSecrets: - name: kong-enterprise-edition-docker serviceAccountName: kong-serviceaccount + volumes: + - name: kong-serviceaccount-token + secret: + items: + - key: token + path: token + - key: ca.crt + path: ca.crt + secretName: kong-serviceaccount-token --- apiVersion: networking.k8s.io/v1 kind: IngressClass diff --git a/deploy/single/all-in-one-dbless.yaml b/deploy/single/all-in-one-dbless.yaml index c822e29236..f997d42e2b 100644 --- a/deploy/single/all-in-one-dbless.yaml +++ b/deploy/single/all-in-one-dbless.yaml @@ -1392,6 +1392,15 @@ subjects: namespace: kong --- apiVersion: v1 +kind: Secret +metadata: + annotations: + kubernetes.io/service-account.name: kong-serviceaccount + name: kong-serviceaccount-token + namespace: kong +type: kubernetes.io/service-account-token +--- +apiVersion: v1 kind: Service metadata: annotations: @@ -1447,6 +1456,7 @@ spec: labels: app: ingress-kong spec: + automountServiceAccountToken: false containers: - env: - name: KONG_PROXY_LISTEN @@ -1555,7 +1565,20 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kong-serviceaccount-token + readOnly: true serviceAccountName: kong-serviceaccount + volumes: + - name: kong-serviceaccount-token + secret: + items: + - key: token + path: token + - key: ca.crt + path: ca.crt + secretName: kong-serviceaccount-token --- apiVersion: networking.k8s.io/v1 kind: IngressClass diff --git a/deploy/single/all-in-one-postgres-enterprise.yaml b/deploy/single/all-in-one-postgres-enterprise.yaml index 40c297abc1..565d2884fe 100644 --- a/deploy/single/all-in-one-postgres-enterprise.yaml +++ b/deploy/single/all-in-one-postgres-enterprise.yaml @@ -1392,6 +1392,15 @@ subjects: namespace: kong --- apiVersion: v1 +kind: Secret +metadata: + annotations: + kubernetes.io/service-account.name: kong-serviceaccount + name: kong-serviceaccount-token + namespace: kong +type: kubernetes.io/service-account-token +--- +apiVersion: v1 kind: Service metadata: name: kong-admin @@ -1493,6 +1502,7 @@ spec: labels: app: ingress-kong spec: + automountServiceAccountToken: false containers: - env: - name: KONG_LICENSE_DATA @@ -1629,6 +1639,10 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kong-serviceaccount-token + readOnly: true imagePullSecrets: - name: kong-enterprise-edition-docker initContainers: @@ -1650,6 +1664,15 @@ spec: image: kong/kong-gateway:2.8 name: wait-for-migrations serviceAccountName: kong-serviceaccount + volumes: + - name: kong-serviceaccount-token + secret: + items: + - key: token + path: token + - key: ca.crt + path: ca.crt + secretName: kong-serviceaccount-token --- apiVersion: apps/v1 kind: StatefulSet diff --git a/deploy/single/all-in-one-postgres.yaml b/deploy/single/all-in-one-postgres.yaml index 14a5f1616b..402e186126 100644 --- a/deploy/single/all-in-one-postgres.yaml +++ b/deploy/single/all-in-one-postgres.yaml @@ -1392,6 +1392,15 @@ subjects: namespace: kong --- apiVersion: v1 +kind: Secret +metadata: + annotations: + kubernetes.io/service-account.name: kong-serviceaccount + name: kong-serviceaccount-token + namespace: kong +type: kubernetes.io/service-account-token +--- +apiVersion: v1 kind: Service metadata: annotations: @@ -1461,6 +1470,7 @@ spec: labels: app: ingress-kong spec: + automountServiceAccountToken: false containers: - env: - name: KONG_DATABASE @@ -1573,6 +1583,10 @@ spec: periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kong-serviceaccount-token + readOnly: true initContainers: - command: - /bin/sh @@ -1587,6 +1601,15 @@ spec: image: kong:2.8 name: wait-for-migrations serviceAccountName: kong-serviceaccount + volumes: + - name: kong-serviceaccount-token + secret: + items: + - key: token + path: token + - key: ca.crt + path: ca.crt + secretName: kong-serviceaccount-token --- apiVersion: apps/v1 kind: StatefulSet