diff --git a/helm/robusta/templates/forwarder.yaml b/helm/robusta/templates/forwarder.yaml index d3d29b726..82b638316 100644 --- a/helm/robusta/templates/forwarder.yaml +++ b/helm/robusta/templates/forwarder.yaml @@ -22,7 +22,11 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{- if .Values.kubewatch.customServiceAccount }} + serviceAccountName: {{ .Values.kubewatch.customServiceAccount }} + { { else } } serviceAccountName: {{ include "robusta.fullname" . }}-forwarder-service-account + {{- end }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.kubewatch.imagePullSecrets }} imagePullSecrets: diff --git a/helm/robusta/templates/runner.yaml b/helm/robusta/templates/runner.yaml index f120296de..b54a181e2 100644 --- a/helm/robusta/templates/runner.yaml +++ b/helm/robusta/templates/runner.yaml @@ -26,7 +26,11 @@ spec: {{- end }} {{- end }} spec: + {{- if .Values.runner.customServiceAccount }} + serviceAccountName: {{ .Values.runner.customServiceAccount }} + {{ else }} serviceAccountName: {{ include "robusta.fullname" . }}-runner-service-account + {{- end }} automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- if .Values.runner.imagePullSecrets }} imagePullSecrets: @@ -53,6 +57,10 @@ spec: value: /etc/robusta/config/active_playbooks.yaml - name: RELEASE_NAME value: {{ include "robusta.fullname" .| quote }} + {{- if .Values.runner.customServiceAccount }} + - name: RUNNER_SERVICE_ACCOUNT + value: {{ .Values.runner.customServiceAccount }} + {{- end }} - name: PROMETHEUS_ENABLED value: {{ .Values.enablePrometheusStack | quote}} - name: MANAGED_CONFIGURATION_ENABLED diff --git a/helm/robusta/values.yaml b/helm/robusta/values.yaml index 849bf6cd9..598e4cf5c 100644 --- a/helm/robusta/values.yaml +++ b/helm/robusta/values.yaml @@ -551,6 +551,7 @@ kubewatch: readOnlyRootFilesystem: false runAsUser: 1000 pod: {} + customServiceAccount: "" # to override the kubewatch service account serviceAccount: # Additional annotations for the ServiceAccount. annotations: {} @@ -587,6 +588,7 @@ runner: sentry_dsn: https://53b627690db14de7b02095407596fa16@o1120648.ingest.sentry.io/6156573 sendAdditionalTelemetry: false certificate: "" # base64 encoded + customServiceAccount: "" # to override the runner service account resources: requests: cpu: 250m diff --git a/playbooks/robusta_playbooks/krr.py b/playbooks/robusta_playbooks/krr.py index fee184a4c..f005b5b50 100644 --- a/playbooks/robusta_playbooks/krr.py +++ b/playbooks/robusta_playbooks/krr.py @@ -10,10 +10,9 @@ from hikaru.model.rel_1_26 import Container, EnvVar, EnvVarSource, PodSpec, ResourceRequirements, SecretKeySelector from prometrix import AWSPrometheusConfig, CoralogixPrometheusConfig, PrometheusAuthorization, PrometheusConfig from pydantic import BaseModel, ValidationError, validator - from robusta.api import ( IMAGE_REGISTRY, - RELEASE_NAME, + RUNNER_SERVICE_ACCOUNT, EnrichmentAnnotation, ExecutionBaseEvent, Finding, @@ -110,7 +109,7 @@ class KRRParams(PrometheusParams, PodRunningParams): :var krr_verbose: Run krr job with verbose logging """ - serviceAccountName: str = f"{RELEASE_NAME}-runner-service-account" + serviceAccountName: str = RUNNER_SERVICE_ACCOUNT strategy: str = "simple" args: Optional[str] = None krr_args: str = "" diff --git a/playbooks/robusta_playbooks/popeye.py b/playbooks/robusta_playbooks/popeye.py index 1af9de157..6a2f7186f 100644 --- a/playbooks/robusta_playbooks/popeye.py +++ b/playbooks/robusta_playbooks/popeye.py @@ -11,7 +11,7 @@ from hikaru.model.rel_1_26 import Container, PodSpec, ResourceRequirements from pydantic import BaseModel, ValidationError from robusta.api import ( - RELEASE_NAME, + RUNNER_SERVICE_ACCOUNT, EnrichmentAnnotation, ExecutionBaseEvent, Finding, @@ -79,7 +79,7 @@ class PopeyeParams(PodRunningParams): :var service_account_name: The account name to use for the Popeye scan job. """ - service_account_name: str = f"{RELEASE_NAME}-runner-service-account" + service_account_name: str = RUNNER_SERVICE_ACCOUNT timeout = 300 args: Optional[str] = None popeye_args: str = "-s no,ns,po,svc,sa,cm,dp,sts,ds,pv,pvc,hpa,pdb,cr,crb,ro,rb,ing,np,psp" diff --git a/src/robusta/api/__init__.py b/src/robusta/api/__init__.py index c5c74fdb5..eb18f3e94 100644 --- a/src/robusta/api/__init__.py +++ b/src/robusta/api/__init__.py @@ -70,6 +70,7 @@ ROBUSTA_LOGO_URL, ROBUSTA_TELEMETRY_ENDPOINT, ROBUSTA_UI_DOMAIN, + RUNNER_SERVICE_ACCOUNT, RUNNER_VERSION, SEND_ADDITIONAL_TELEMETRY, SERVICE_CACHE_MAX_SIZE, diff --git a/src/robusta/core/model/env_vars.py b/src/robusta/core/model/env_vars.py index 1dee01f48..8b957a58d 100644 --- a/src/robusta/core/model/env_vars.py +++ b/src/robusta/core/model/env_vars.py @@ -65,6 +65,8 @@ def load_bool(env_var, default: bool): SEND_ADDITIONAL_TELEMETRY = os.environ.get("SEND_ADDITIONAL_TELEMETRY", "false").lower() == "true" RELEASE_NAME = os.environ.get("RELEASE_NAME", "robusta") +RUNNER_SERVICE_ACCOUNT = os.environ.get("RUNNER_SERVICE_ACCOUNT", f"{RELEASE_NAME}-runner-service-account") + TELEMETRY_PERIODIC_SEC = int(os.environ.get("TELEMETRY_PERIODIC_SEC", 60 * 60 * 24)) # 24H SLACK_TABLE_COLUMNS_LIMIT = int(os.environ.get("SLACK_TABLE_COLUMNS_LIMIT", 3)) diff --git a/src/robusta/integrations/kubernetes/custom_models.py b/src/robusta/integrations/kubernetes/custom_models.py index f59e15d7e..a01ffee63 100644 --- a/src/robusta/integrations/kubernetes/custom_models.py +++ b/src/robusta/integrations/kubernetes/custom_models.py @@ -13,7 +13,7 @@ from kubernetes.client import ApiException from pydantic import BaseModel -from robusta.core.model.env_vars import IMAGE_REGISTRY, INSTALLATION_NAMESPACE, RELEASE_NAME +from robusta.core.model.env_vars import IMAGE_REGISTRY, INSTALLATION_NAMESPACE, RUNNER_SERVICE_ACCOUNT from robusta.integrations.kubernetes.api_client_utils import ( SUCCEEDED_STATE, exec_shell_command, @@ -251,7 +251,7 @@ def create_debugger_pod( annotations=custom_annotations, ), spec=PodSpec( - serviceAccountName=f"{RELEASE_NAME}-runner-service-account", + serviceAccountName=RUNNER_SERVICE_ACCOUNT, hostPID=True, nodeName=node_name, restartPolicy="OnFailure",