Merge branch '1860-dustin-refactor-automountserviceaccounttoken-early-packages' into 'master'

Refactor Gitlab + Monitoring automountServiceAccountToken hardening for consistency Closes #1860 See merge request !3667

Merge branch '1860-dustin-refactor-automountserviceaccounttoken-early-packages' into 'master'
d83fe0b6 · Ryan Garcia · ce35c915 · af80d7cc · d83fe0b6
Commit d83fe0b6 authored 1 year ago by Ryan Garcia
--- a/chart/templates/kyverno-policies/values.yaml
+++ b/chart/templates/kyverno-policies/values.yaml
@@ -120,24 +120,6 @@ policies:
    validationFailureAction: Audit
    exclude:
      any:
-      {{- if .Values.addons.gitlab.enabled }}
-      - resources:
-          namespaces:
-          - gitlab
-          kinds:
-          - Pod
-          names:
-          - gitlab-shared-secrets*
-      {{- end }}
-      {{- if .Values.addons.gitlabRunner.enabled }}
-      - resources:
-          namespaces:
-          - gitlab-runner
-          kinds:
-          - ServiceAccount
-          names:
-          - gitlab-runner
-      {{- end }}
      {{- if .Values.kyvernoReporter.enabled }}
      - resources:
          namespaces:
@@ -149,26 +131,6 @@ policies:
          - kyverno-reporter*
      {{- end }}
      {{- if .Values.monitoring.enabled }}
-      - resources:
-          namespaces:
-          - monitoring
-          kinds:
-          - ServiceAccount
-          names:
-          - monitoring-monitoring-prometheus-node-exporter
-          - monitoring-monitoring-kube-operator
-          - monitoring-monitoring-kube-state-metrics
-          - monitoring-monitoring-kube-admission
-          - monitoring-monitoring-kube-prometheus
-      - resources:
-          namespaces:
-          - monitoring
-          kinds:
-          - Pod
-          - Deployment
-          names:
-          - prometheus-monitoring-monitoring-kube-prometheus*
-      {{- end }}
      - resources:
          namespaces:
          - flux-system
@@ -180,6 +142,7 @@ policies:
          - helm-controller-*
          - source-controller-*
          - kustomize-controller-*
+      {{- end }}

  {{- if or .Values.fluentbit.enabled .Values.monitoring.enabled .Values.twistlock.enabled }}
  disallow-tolerations:
@@ -726,6 +689,9 @@ policies:
      - bigbang
      - flux-system
      - keycloak
+      - monitoring
+      - gitlab
+      - gitlab-runner

  update-automountserviceaccounttokens:
    enabled: true
@@ -863,8 +829,18 @@ policies:
      - namespace: monitoring
        serviceAccounts:
        - monitoring-grafana
+        - monitoring-monitoring-kube-admission
+        - monitoring-monitoring-kube-prometheus
+        - monitoring-monitoring-kube-state-metrics
+        - monitoring-monitoring-kube-operator
+        - monitoring-monitoring-prometheus-node-exporter
        pods:
        - monitoring-grafana-*
+        - monitoring-monitoring-kube-admission-create-*
+        - monitoring-monitoring-kube-admission-patch-*
+        - monitoring-monitoring-kube-state-metrics-*
+        - monitoring-monitoring-kube-operator-*
+        - prometheus-monitoring-monitoring-kube-prometheus-*
      - namespace: anchore
        serviceAccounts:
        - anchore-ui-redis
@@ -933,6 +909,14 @@ policies:
      - namespace: keycloak
        serviceAccounts:
        - keycloak
+      - namespace: gitlab
+        pods:
+        - gitlab-shared-secrets*
+      - namespace: gitlab-runner
+        serviceAccounts: 
+        - gitlab-runner
+        pods:
+        - gitlab-runner-*

 istio:
  enabled: {{ .Values.istio.enabled }}