Mitigate automountServiceAccountToken findings in flux-system and bigbang namespaces

a3704782 · Justen Mehl · Michael Martin · 071814bc · a3704782 · a3704782
Commit a3704782 authored 1 year ago by Justen Mehl Committed by Michael Martin 1 year ago
--- a/base/flux/kustomization.yaml
+++ b/base/flux/kustomization.yaml
@@ -53,6 +53,15 @@ patches:
                    drop:
                      - ALL
                  $patch: replace
+  - target:
+      kind: ServiceAccount
+      name: helm-controller
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: helm-controller
+      automountServiceAccountToken: false
  - target:
      kind: Deployment
      name: helm-controller
@@ -64,6 +73,7 @@ patches:
      spec:
        template:
          spec:
+            automountServiceAccountToken: true
            containers:
            - name: manager
              resources:
@@ -73,6 +83,15 @@ patches:
                requests:
                  cpu: 900m
                  memory: 1Gi
+  - target:
+      kind: ServiceAccount
+      name: kustomize-controller
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: kustomize-controller
+      automountServiceAccountToken: false
  - target:
      kind: Deployment
      name: kustomize-controller
@@ -84,6 +103,7 @@ patches:
      spec:
        template:
          spec:
+            automountServiceAccountToken: true
            containers:
            - name: manager
              resources:
@@ -93,6 +113,15 @@ patches:
                requests:
                  cpu: 300m
                  memory: 600Mi
+  - target:
+      kind: ServiceAccount
+      name: notification-controller
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: notification-controller
+      automountServiceAccountToken: false
  - target:
      kind: Deployment
      name: notification-controller
@@ -104,6 +133,7 @@ patches:
      spec:
        template:
          spec:
+            automountServiceAccountToken: true
            containers:
            - name: manager
              resources:
@@ -113,6 +143,15 @@ patches:
                requests:
                  cpu: 100m
                  memory: 200Mi
+  - target:
+      kind: ServiceAccount
+      name: source-controller
+    patch: |-
+      apiVersion: v1
+      kind: ServiceAccount
+      metadata:
+        name: source-controller
+      automountServiceAccountToken: false
  - target:
      kind: Deployment
      name: source-controller
@@ -124,6 +163,7 @@ patches:
      spec:
        template:
          spec:
+            automountServiceAccountToken: true
            containers:
            - name: manager
              resources:

--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -169,6 +169,17 @@ policies:
          names:
          - prometheus-monitoring-monitoring-kube-prometheus*
      {{- end }}
+      - resources:
+          namespaces:
+          - flux-system
+          kinds:
+          - Pod
+          - Deployment
+          names:
+          - notification-controller-*
+          - helm-controller-*
+          - source-controller-*
+          - kustomize-controller-*

  {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.twistlock.enabled }}
  disallow-tolerations:
@@ -712,6 +723,8 @@ policies:
      - thanos
      - mattermost
      - mattermost-operator
+      - bigbang
+      - flux-system
      - keycloak

  update-automountserviceaccounttokens: