Support for Bound Service Account Token projected volume #2485
Comments
|
Forgot to mention that this feature was made stable in Kubernetes 1.22: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume |
|
hey @tspearconquest this is a known issue we are working on fixing all the issues related to the Kubernetes client here #2973, thank you again @alacuku ! |
|
Issues go stale after 90d of inactivity. Mark the issue as fresh with Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle stale |
|
/remove-lifecycle stale
Get Outlook for Android<https://aka.ms/AAb9ysg>
…________________________________
From: poiana ***@***.***>
Sent: Tuesday, July 11, 2023 8:32:06 AM
To: falcosecurity/falco ***@***.***>
Cc: Thomas Spear ***@***.***>; Mention ***@***.***>
Subject: Re: [falcosecurity/falco] Support for Bound Service Account Token projected volume (Issue #2485)
CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle stale
—
Reply to this email directly, view it on GitHub<#2485 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ATRTFZ5HC67V73E7IAQY4OTXPVIVNANCNFSM6AAAAAAWZLR4WE>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
@jasondellaluce help? Looks like the bot removed and re-added the same label... |
|
Stale issues rot after 30d of inactivity. Mark the issue as fresh with Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with Provide feedback via https://github.com/falcosecurity/community. /lifecycle rotten |
|
/remove-lifecycle rotten
…On Sun, Aug 13, 2023, 8:33 AM poiana ***@***.***> wrote:
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Provide feedback via https://github.com/falcosecurity/community.
/lifecycle rotten
—
Reply to this email directly, view it on GitHub
<#2485 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAKU2WBQ5JRWCPOCCF4JRWTXVDJRBANCNFSM6AAAAAAWZLR4WE>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
The new |
|
This should be solved by Falco 0.37.0! Feel free to reopen if this is still an issue |
Motivation
As demonstrated in #2476, falco is not detecting a rotated service account token credential, and is therefore failing to connect to the api server once the credential has been rotated by the kubelet.
Feature
Falco needs to detect when the service account token has been rotated and begin using the new token so that it doesn't crash.
There are a few OSS repos where I can find fixes for this same issue. Datadog has a fix due to crashing, and Cert-Manager has an example helm chart values file for configuring cert-manager with this feature.
Alternatives
Turn off the feature and automount the service account token
Additional context
Best practices recommend disabling serviceaccount token automount, so we have used kustomize to add the
automountServiceAccountToken: falsefield and added the service account token volume and volumeMount to the helm values.yaml file. Falco operates properly with this enabled, however when the token gets rotated, it doesn't detect the change, and continues to try to connect to the API server with a now-stale token, which causes falco to exit.The text was updated successfully, but these errors were encountered: