From e7df4d3dd9846faccb7fd3b4686c9b9a08e6fca3 Mon Sep 17 00:00:00 2001
From: Alessio Greggi <ale_grey_91@hotmail.it>
Date: Fri, 6 May 2022 09:39:07 +0200
Subject: [PATCH] add support for `service-account-lookup` parameter (#8781)

* feat: add variable to manage service-account-lookup on kube-apiserver

* docs: add documentation about service-account-lookup variable
---
 docs/vars.md                                                 | 2 ++
 roles/kubernetes/control-plane/defaults/main/main.yml        | 5 +++++
 .../control-plane/templates/kubeadm-config.v1beta2.yaml.j2   | 3 +++
 3 files changed, 10 insertions(+)

diff --git a/docs/vars.md b/docs/vars.md
index 304163568..5a666e388 100644
--- a/docs/vars.md
+++ b/docs/vars.md
@@ -146,6 +146,8 @@ kube_apiserver_admission_event_rate_limits:
   ...
 ```
 
+* *kube_apiserver_service_account_lookup* - Enable validation service account before validating token. Default `true`.
+
 Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
 private addresses, make sure to pick another values for ``kube_service_addresses``
 and ``kube_pods_subnet``, for example from the ``172.18.0.0/16``.
diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index 51984933b..42f9c7654 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -18,6 +18,11 @@ kube_apiserver_node_port_range: "30000-32767"
 # ETCD backend for k8s data
 kube_apiserver_storage_backend: etcd3
 
+# CIS 1.2.26
+# Validate that the service account token
+# in the request is actually present in etcd.
+kube_apiserver_service_account_lookup: true
+
 kube_etcd_cacert_file: ca.pem
 kube_etcd_cert_file: node-{{ inventory_hostname }}.pem
 kube_etcd_key_file: node-{{ inventory_hostname }}-key.pem
diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta2.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta2.yaml.j2
index a43c549de..9b2e47398 100644
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta2.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta2.yaml.j2
@@ -146,6 +146,9 @@ apiServer:
 {% if kube_token_auth|default(true) %}
     token-auth-file: {{ kube_token_dir }}/known_tokens.csv
 {% endif %}
+{% if kube_apiserver_service_account_lookup %}
+    service-account-lookup: "{{ kube_apiserver_service_account_lookup }}"
+{% endif %}
 {% if kube_oidc_auth|default(false) and kube_oidc_url is defined and kube_oidc_client_id is defined %}
     oidc-issuer-url: "{{ kube_oidc_url }}"
     oidc-client-id: "{{ kube_oidc_client_id }}"
-- 
GitLab