Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow changing automountServiceAccountToken in PodSpec via values.yaml #1262

Open
wants to merge 3 commits into
base: master
Choose a base branch
from

Conversation

vidarno
Copy link

@vidarno vidarno commented Nov 25, 2024

What does this PR do?

This PR adds serviceAccount.automountServiceAccountToken to values.yaml and thus allows changing automountServiceAccountToken in the PodSpec, which is true by default. This PR does not change the default behavior.

Motivation

automountServiceAccountToken is set to false in the actual service account definition, but in environments that have policies that require automountServiceAccountToken to be false in the actual Podspec this isn't good enough. Ideally the same value would change automountServiceAccountToken in both the service account definition and in the podspec, but since they are respectively true and false by default this would effectively change the default behaviour if both were set by this one value so I opted to only have this value control the attribute in the podspec.

This is the issue described in #1254

More

  • [X ] Yes, I updated the tests accordingly
  • Yes, I updated the schema accordingly
  • Yes, I ran make test and all the tests passed

@darkweaver87
Copy link
Contributor

Hello @vidarno,

Thanks for your contribution :-)

Could you describe your use case a bit more ? Because Traefik needs a token to list/get/update the resources (Ingress/IngressRoutes/Middlewares, ...) it needs depending on the providers you're using. Or, are you willing to inject the token manually using a TokenRequest for instance ?

In any case, could you add some tests around your change ?

Thanks.

Rémi

@vidarno
Copy link
Author

vidarno commented Nov 27, 2024

The need comes from environments that don't allow automounting the serviceaccount due to policies (OPA, Kyverno or similar).

The solution in such an environment is to disable automounting of the serviceaccount and instead use service account token projection, like described here - https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#launch-a-pod-using-service-account-token-projection

This helm chart already has support for volumes and volumemounts, so this should be a good alternative to automounting the serviceaccount for those who are unable to do so.

@darkweaver87
Copy link
Contributor

Thanks @vidarno for the detailed explanation.
Then, could you just add a test and I'll be happy to review and merge it ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants