feat: make service account token rotation configurable

Signed-off-by: Martin Linkhorst <martin.linkhorst@zalando.de>
zalando-incubator · Jan 8, 2020 · 929878e · 929878e
1 parent 9fa1251
commit 929878e
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 15 deletions.
diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -298,6 +298,8 @@ apiserver_proxy: "true"
 # when set to true, service account tokens can be used from outside the cluster
 # requires apiserver_proxy to be set to "true"
 allow_external_service_accounts: "false"
+# issue service account tokens with expiration time.
+rotate_service_account_tokens: "false"
 
 # use kube-aws-iam-controller for kube-system components
 kube_aws_iam_controller_kube_system_enable: "true"

diff --git a/cluster/manifests/kube-proxy/configmap.yaml b/cluster/manifests/kube-proxy/configmap.yaml
@@ -24,7 +24,7 @@ data:
     enableProfiling: false
     featureGates:
       TaintBasedEvictions: true
-      BoundServiceAccountTokenVolume: true
+      BoundServiceAccountTokenVolume: {{ .Cluster.ConfigItems.rotate_service_account_tokens }}
     healthzBindAddress: 0.0.0.0:10256
     hostnameOverride: ""
     iptables:

diff --git a/cluster/node-pools/master-default/userdata.yaml b/cluster/node-pools/master-default/userdata.yaml
@@ -41,12 +41,9 @@ write_files:
 {{- if not (index .Cluster.ConfigItems "enable_cfs_quota") }}
       cpuCFSQuota: false
 {{- end }}
-{{- if ne .NodePool.ConfigItems.pod_max_pids "-1" }}
       featureGates:
-        SupportPodPidsLimit: true
-        BoundServiceAccountTokenVolume: true
+        BoundServiceAccountTokenVolume: {{ .Cluster.ConfigItems.rotate_service_account_tokens }}
       podPidsLimit: {{ .NodePool.ConfigItems.pod_max_pids }}
-{{- end }}
       maxPods: {{ nodeCIDRMaxPods (parseInt64 .Cluster.ConfigItems.node_cidr_mask_size) 8 }}
       healthzPort: 10248
       healthzBindAddress: "0.0.0.0"
@@ -121,8 +118,12 @@ write_files:
           - --authorization-mode=Webhook,RBAC
           - --authorization-webhook-config-file=/etc/kubernetes/config/authz.yaml
           - --admission-control-config-file=/etc/kubernetes/config/image-policy-webhook.yaml
-          - --feature-gates=TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},TTLAfterFinished=true,CustomResourceWebhookConversion={{.Cluster.ConfigItems.custom_resource_webhook_conversion}},CustomResourcePublishOpenAPI={{.Cluster.ConfigItems.custom_resource_publish_openapi}},BoundServiceAccountTokenVolume=true
+          - --feature-gates=TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},TTLAfterFinished=true,CustomResourceWebhookConversion={{.Cluster.ConfigItems.custom_resource_webhook_conversion}},CustomResourcePublishOpenAPI={{.Cluster.ConfigItems.custom_resource_publish_openapi}},BoundServiceAccountTokenVolume={{ .Cluster.ConfigItems.rotate_service_account_tokens }}
           - --anonymous-auth=false
+          {{- if eq .Cluster.ConfigItems.rotate_service_account_tokens "true" }}
+          - --service-account-signing-key-file=/etc/kubernetes/ssl/service-account-private-key.pem
+          - --service-account-issuer=kubernetes/serviceaccount
+          {{- end }}
           {{ if ne .Cluster.ConfigItems.audittrail_url "" }}
           - --audit-webhook-config-file=/etc/kubernetes/config/audit.yaml
           - --audit-webhook-mode=batch
@@ -148,8 +149,6 @@ write_files:
           - --kubelet-certificate-authority=/etc/kubernetes/ssl/ca.pem
           - --kubelet-client-certificate=/etc/kubernetes/ssl/kubelet-client.pem
           - --kubelet-client-key=/etc/kubernetes/ssl/kubelet-client-key.pem
-          - --service-account-signing-key-file=/etc/kubernetes/ssl/service-account-private-key.pem
-          - --service-account-issuer=kubernetes/serviceaccount
           livenessProbe:
             httpGet:
               host: 127.0.0.1
@@ -484,14 +483,13 @@ write_files:
         - name: kube-controller-manager
           image: nonexistent.zalan.do/teapot/kube-controller-manager:fixed
           args:
-          - --controllers=*,-serviceaccount-token
           - --kubeconfig=/etc/kubernetes/controller-kubeconfig
           - --leader-elect=true
           - --service-account-private-key-file=/etc/kubernetes/ssl/service-account-private-key.pem
           - --root-ca-file=/etc/kubernetes/ssl/ca.pem
           - --cloud-provider=aws
           - --cloud-config=/etc/kubernetes/cloud-config.ini
-          - --feature-gates=TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},TTLAfterFinished=true,BoundServiceAccountTokenVolume=true
+          - --feature-gates=TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},TTLAfterFinished=true,BoundServiceAccountTokenVolume={{ .Cluster.ConfigItems.rotate_service_account_tokens }}
           - --horizontal-pod-autoscaler-use-rest-clients=true
           - --use-service-account-credentials=true
           - --configure-cloud-routes=false
@@ -554,7 +552,7 @@ write_files:
           args:
           - --master=http://127.0.0.1:8080
           - --leader-elect=true
-          - --feature-gates=TaintBasedEvictions=true,TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},BoundServiceAccountTokenVolume=true
+          - --feature-gates=TaintBasedEvictions=true,TaintNodesByCondition={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},ScheduleDaemonSetPods={{.Cluster.ConfigItems.experimental_schedule_daemonset_pods}},BoundServiceAccountTokenVolume={{ .Cluster.ConfigItems.rotate_service_account_tokens }}
           env:
           - name: KUBE_MAX_PD_VOLS
             value: "26"

diff --git a/cluster/node-pools/worker-default/userdata.yaml b/cluster/node-pools/worker-default/userdata.yaml
@@ -51,12 +51,9 @@ write_files:
       kind: KubeletConfiguration
       clusterDomain: cluster.local
       cpuCFSQuota: false
-{{- if ne .NodePool.ConfigItems.pod_max_pids "-1" }}
       featureGates:
-        SupportPodPidsLimit: true
-        BoundServiceAccountTokenVolume: true
+        BoundServiceAccountTokenVolume: {{ .Cluster.ConfigItems.rotate_service_account_tokens }}
       podPidsLimit: {{ .NodePool.ConfigItems.pod_max_pids }}
-{{- end }}
       cpuManagerPolicy: {{ .NodePool.ConfigItems.cpu_manager_policy }}
       maxPods: {{ nodeCIDRMaxPods (parseInt64 .Cluster.ConfigItems.node_cidr_mask_size) 0 }}
       healthzPort: 10248