Bug 2302857

Summary: CVE - [odf-console] Pod Service Account Token Automatically Mounted
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Sanjal Katiyar <skatiyar>
Component: odf-operatorAssignee: Bipul Adhikari <badhikar>
Status: VERIFIED --- QA Contact: Parag Kamble <pakamble>
Severity: medium Docs Contact:
Priority: high    
Version: 4.17CC: asriram, badhikar, edonnell, muagarwa, nigoyal, odf-bz-bot
Target Milestone: ---Keywords: Security, SecurityTracking
Target Release: ODF 4.17.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 4.17.0-105 Doc Type: Bug Fix
Doc Text:
.Automatic mounting of service account tokens disabled to increase security By default, OpenShift automatically mounts a service account token into every pod, regardless of whether the pod needs to interact with the OpenShift API. This behavior can expose the pod’s service account token to unintended use. If a pod is compromised, the attacker could gain access to this token, leading to possible privilege escalation within the cluster. If the default service account token is unnecessarily mounted, and the pod becomes compromised, the attacker can use the service account credentials to interact with the OpenShift API. This access could lead to serious security breaches, such as unauthorized actions within the cluster, exposure of sensitive information, or privilege escalation across the cluster. To mitigate this vulnerability, the automatic mounting of service account tokens is disabled unless explicitly needed by the application running in the pod. In the case of ODF console pod the fix involved disabling the automatic mounting of the default service account token by setting the `automountServiceAccountToken: false` in the pod or service account definition. With this fix, pods no longer automatically mount the service account token unless explicitly needed. This reduces the risk of privilege escalation or misuse of the service account in case of a compromised pod.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2281703    

Description Sanjal Katiyar 2024-08-05 11:45:09 UTC 
Description of problem (please be detailed as possible and provide log
snippests):

Protect pod default service account tokens from compromise by minimizing the mounting of the default service account token to only those pods whose application requires interaction with the Kubernetes API.


By default, Kubernetes automatically provisions a service account for each pod and mounts the secret at runtime. This service account is not typically used. If this pod is compromised and the compromised user has access to the service account, the service account could be used to escalate privileges within the cluster. To reduce the likelihood of privilege escalation this service account should not be mounted by default unless the pod requires direct access to the Kubernetes API as part of the pods functionality.


Version of all relevant components (if applicable):


Does this issue impact your ability to continue to work with the product
(please explain in detail what is the user impact)?


Is there any workaround available to the best of your knowledge?


Rate from 1 - 5 the complexity of the scenario you performed that caused this
bug (1 - very simple, 5 - very complex)?


Can this issue reproducible?


Can this issue reproduce from the UI?


If this is a regression, please provide more details to justify this:


Steps to Reproduce:
1.
2.
3.


Actual results:


Expected results:


Additional info: 
Add `automountServiceAccountToken: false` or a value distinct from 'default' for the `serviceAccountName` key to the deployment's Pod configuration.
Comment 8 Sunil Kumar Acharya 2024-09-18 12:06:54 UTC 
Please update the RDT flag/text appropriately.