added custom service account

robusta-dev · May 22, 2024 · ceb71ef · ceb71ef
1 parent 57f7417
commit ceb71ef
Show file tree

Hide file tree

Showing 8 changed files with 33 additions and 19 deletions.
diff --git a/helm/robusta/templates/forwarder.yaml b/helm/robusta/templates/forwarder.yaml
@@ -22,7 +22,11 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.kubewatch.customServiceAccount }}
+      serviceAccountName: {{ .Values.kubewatch.customServiceAccount }}
+      { { else } }
       serviceAccountName: {{ include "robusta.fullname" . }}-forwarder-service-account
+      {{- end }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- if .Values.kubewatch.imagePullSecrets }}
       imagePullSecrets:

diff --git a/helm/robusta/templates/runner.yaml b/helm/robusta/templates/runner.yaml
@@ -26,7 +26,11 @@ spec:
         {{- end }}
       {{- end }}
     spec:
+      {{- if .Values.runner.customServiceAccount }}
+      serviceAccountName: {{ .Values.runner.customServiceAccount }}
+      {{ else }}
       serviceAccountName: {{ include "robusta.fullname" . }}-runner-service-account
+      {{- end }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- if .Values.runner.imagePullSecrets }}
       imagePullSecrets:
@@ -53,6 +57,10 @@ spec:
             value: /etc/robusta/config/active_playbooks.yaml
           - name: RELEASE_NAME
             value: {{ include "robusta.fullname" .| quote }}
+          {{- if .Values.runner.customServiceAccount }}
+          - name: RUNNER_SERVICE_ACCOUNT
+            value: {{ .Values.runner.customServiceAccount }}
+          {{- end }}
           - name: PROMETHEUS_ENABLED
             value: {{ .Values.enablePrometheusStack | quote}}
           - name: MANAGED_CONFIGURATION_ENABLED

diff --git a/helm/robusta/values.yaml b/helm/robusta/values.yaml
@@ -551,6 +551,7 @@ kubewatch:
       readOnlyRootFilesystem: false
       runAsUser: 1000
     pod: {}
+  customServiceAccount: "" # to override the kubewatch service account
   serviceAccount:
     # Additional annotations for the ServiceAccount.
     annotations: {}
@@ -587,6 +588,7 @@ runner:
   sentry_dsn: https://[email protected]/6156573
   sendAdditionalTelemetry: false
   certificate: "" # base64 encoded
+  customServiceAccount: "" # to override the runner service account
   resources:
     requests:
       cpu: 250m

diff --git a/playbooks/robusta_playbooks/krr.py b/playbooks/robusta_playbooks/krr.py
@@ -10,10 +10,9 @@
 from hikaru.model.rel_1_26 import Container, EnvVar, EnvVarSource, PodSpec, ResourceRequirements, SecretKeySelector
 from prometrix import AWSPrometheusConfig, CoralogixPrometheusConfig, PrometheusAuthorization, PrometheusConfig
 from pydantic import BaseModel, ValidationError, validator
-
 from robusta.api import (
     IMAGE_REGISTRY,
-    RELEASE_NAME,
+    RUNNER_SERVICE_ACCOUNT,
     EnrichmentAnnotation,
     ExecutionBaseEvent,
     Finding,
@@ -110,7 +109,7 @@ class KRRParams(PrometheusParams, PodRunningParams):
     :var krr_verbose: Run krr job with verbose logging
     """
 
-    serviceAccountName: str = f"{RELEASE_NAME}-runner-service-account"
+    serviceAccountName: str = RUNNER_SERVICE_ACCOUNT
     strategy: str = "simple"
     args: Optional[str] = None
     krr_args: str = ""

diff --git a/playbooks/robusta_playbooks/popeye.py b/playbooks/robusta_playbooks/popeye.py
@@ -11,15 +11,15 @@
 from hikaru.model.rel_1_26 import Container, PodSpec, ResourceRequirements
 from pydantic import BaseModel, ValidationError
 from robusta.api import (
-    RELEASE_NAME,
+    RUNNER_SERVICE_ACCOUNT,
     EnrichmentAnnotation,
     ExecutionBaseEvent,
     Finding,
     FindingSource,
     FindingType,
     PodRunningParams,
-    RobustaJob,
     PopeyeScanReportBlock,
+    RobustaJob,
     ScanReportRow,
     ScanType,
     action,
@@ -79,7 +79,7 @@ class PopeyeParams(PodRunningParams):
     :var service_account_name: The account name to use for the Popeye scan job.
     """
 
-    service_account_name: str = f"{RELEASE_NAME}-runner-service-account"
+    service_account_name: str = RUNNER_SERVICE_ACCOUNT
     timeout = 300
     args: Optional[str] = None
     popeye_args: str = "-s no,ns,po,svc,sa,cm,dp,sts,ds,pv,pvc,hpa,pdb,cr,crb,ro,rb,ing,np,psp"

diff --git a/src/robusta/api/__init__.py b/src/robusta/api/__init__.py
@@ -22,6 +22,8 @@
     GrafanaParams,
     LogEnricherParams,
     NamedRegexPattern,
+    OOMGraphEnricherParams,
+    OomKillParams,
     PodResourceGraphEnricherParams,
     PodRunningParams,
     ProcessParams,
@@ -33,8 +35,6 @@
     ResourceChartItemType,
     ResourceChartResourceType,
     ResourceGraphEnricherParams,
-    OOMGraphEnricherParams,
-    OomKillParams,
     TimedPrometheusParams,
     VideoEnricherParams,
 )
@@ -70,6 +70,7 @@
     ROBUSTA_LOGO_URL,
     ROBUSTA_TELEMETRY_ENDPOINT,
     ROBUSTA_UI_DOMAIN,
+    RUNNER_SERVICE_ACCOUNT,
     RUNNER_VERSION,
     SEND_ADDITIONAL_TELEMETRY,
     SERVICE_CACHE_MAX_SIZE,
@@ -106,15 +107,15 @@
 from robusta.core.playbooks.actions_registry import Action, action
 from robusta.core.playbooks.common import get_event_timestamp, get_resource_events, get_resource_events_table
 from robusta.core.playbooks.container_playbook_utils import create_container_graph
+from robusta.core.playbooks.crash_reporter import send_crash_report
 from robusta.core.playbooks.job_utils import CONTROLLER_UID, get_job_all_pods, get_job_latest_pod, get_job_selector
 from robusta.core.playbooks.node_playbook_utils import create_node_graph_enrichment
 from robusta.core.playbooks.pod_utils.crashloop_utils import get_crash_report_enrichments
 from robusta.core.playbooks.pod_utils.imagepull_utils import (
-    get_image_pull_backoff_enrichment,
     get_image_pull_backoff_container_statuses,
+    get_image_pull_backoff_enrichment,
 )
 from robusta.core.playbooks.pod_utils.pending_pod_utils import get_pending_pod_enrichment
-from robusta.core.playbooks.crash_reporter import send_crash_report
 from robusta.core.playbooks.prometheus_enrichment_utils import (
     XAxisLine,
     create_chart_from_prometheus_query,
@@ -138,38 +139,37 @@
     CallbackChoice,
     DividerBlock,
     Emojis,
+    EmptyFileBlock,
     Enrichment,
     FileBlock,
-    EmptyFileBlock,
     Filterable,
     Finding,
     FindingSeverity,
     FindingStatus,
     FindingSubject,
     HeaderBlock,
     JsonBlock,
+    KRRScanReportBlock,
     KubernetesDiffBlock,
     KubernetesFieldsBlock,
     ListBlock,
     MarkdownBlock,
+    PopeyeScanReportBlock,
     PrometheusBlock,
     ScanReportBlock,
-    PopeyeScanReportBlock,
-    KRRScanReportBlock,
     ScanReportRow,
     TableBlock,
     VideoLink,
 )
-
-from robusta.core.reporting.base import EnrichmentType
-from robusta.core.reporting.blocks import GraphBlock
 from robusta.core.reporting.action_requests import (
     ActionRequestBody,
     ExternalActionRequest,
     OutgoingActionRequest,
     PartialAuth,
     sign_action_request,
 )
+from robusta.core.reporting.base import EnrichmentType
+from robusta.core.reporting.blocks import GraphBlock
 from robusta.core.reporting.callbacks import ExternalActionRequestBuilder
 from robusta.core.reporting.consts import (
     EnrichmentAnnotation,
@@ -190,7 +190,6 @@
     ScheduledJob,
     SchedulingInfo,
 )
-from robusta.core.playbooks.node_playbook_utils import create_node_graph_enrichment
 from robusta.core.sinks import SinkBase, SinkBaseParams, SinkConfigBase
 from robusta.core.sinks.kafka import KafkaSink, KafkaSinkConfigWrapper, KafkaSinkParams
 from robusta.core.triggers.helm_releases_triggers import HelmReleasesEvent, HelmReleasesTriggerEvent

diff --git a/src/robusta/core/model/env_vars.py b/src/robusta/core/model/env_vars.py
@@ -65,6 +65,8 @@ def load_bool(env_var, default: bool):
 SEND_ADDITIONAL_TELEMETRY = os.environ.get("SEND_ADDITIONAL_TELEMETRY", "false").lower() == "true"
 RELEASE_NAME = os.environ.get("RELEASE_NAME", "robusta")
 
+RUNNER_SERVICE_ACCOUNT = os.environ.get("RUNNER_SERVICE_ACCOUNT", f"{RELEASE_NAME}-runner-service-account")
+
 TELEMETRY_PERIODIC_SEC = int(os.environ.get("TELEMETRY_PERIODIC_SEC", 60 * 60 * 24))  # 24H
 
 SLACK_TABLE_COLUMNS_LIMIT = int(os.environ.get("SLACK_TABLE_COLUMNS_LIMIT", 3))

diff --git a/src/robusta/integrations/kubernetes/custom_models.py b/src/robusta/integrations/kubernetes/custom_models.py
@@ -13,7 +13,7 @@
 from kubernetes.client import ApiException
 from pydantic import BaseModel
 
-from robusta.core.model.env_vars import IMAGE_REGISTRY, INSTALLATION_NAMESPACE, RELEASE_NAME
+from robusta.core.model.env_vars import IMAGE_REGISTRY, INSTALLATION_NAMESPACE, RUNNER_SERVICE_ACCOUNT
 from robusta.integrations.kubernetes.api_client_utils import (
     SUCCEEDED_STATE,
     exec_shell_command,
@@ -251,7 +251,7 @@ def create_debugger_pod(
                 annotations=custom_annotations,
             ),
             spec=PodSpec(
-                serviceAccountName=f"{RELEASE_NAME}-runner-service-account",
+                serviceAccountName=RUNNER_SERVICE_ACCOUNT,
                 hostPID=True,
                 nodeName=node_name,
                 restartPolicy="OnFailure",