Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting a default service account for impersonation #406

Merged
merged 1 commit into from
Jan 31, 2022
Merged

Allow setting a default service account for impersonation #406

merged 1 commit into from
Jan 31, 2022

Conversation

stefanprodan
Copy link
Member

Introduce the flag --default-service-account for allowing cluster admins to enforce impersonation across the cluster without having to use an admission controller.

When the flag is set to a value that's not empty string, all HelmReleases which don't have spec.serviceAccountName specified will use the service account name provided by --default-service-account=<SA Name> in the namespace of the object.

Breaking changes:

  • When --default-service-account=<SA name> and/or spec.ServiceAccountName are specified, the controller no longer queries the API to extract and use the SA token. Instead, the controller relies on the Kubernetes impersonation feature to run the reconciliation under the system:serviceaccount:<SA Namespace>:<SA Name> identity. This impacts only clusters with custom made tokens and automountServiceAccountToken disabled. If a service account token points to a different identity (which should never be the case), then the controller will fail to reconcile with Forbidden : User "system:serviceaccount:my-namespace:my-sa-name" cannot create resource.
  • When both spec.kubeConfig and spec.ServiceAccountName are specified, the controller will impersonate the service account on the target cluster, previously the controller ignored the service account.

Part of: fluxcd/flux2#2340

@stefanprodan stefanprodan added the enhancement New feature or request label Jan 27, 2022
@stefanprodan stefanprodan force-pushed the default-service-account branch 3 times, most recently from 38de075 to 44fcd38 Compare January 31, 2022 09:21
hiddeco
hiddeco reviewed Jan 31, 2022
View reviewed changes
internal/kube/client.go Outdated Show resolved Hide resolved
@stefanprodan
Allow setting a default service account for impersonation
0173eaa 
Introduce the flag `--default-service-account` for allowing cluster admins to enforce impersonation for resources reconciliation.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
hiddeco
hiddeco approved these changes Jan 31, 2022
View reviewed changes
Copy link
Member

@hiddeco hiddeco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for following through on requested changes 🙇

@hiddeco hiddeco merged commit 05a1e00 into main Jan 31, 2022
@hiddeco hiddeco deleted the default-service-account branch January 31, 2022 10:44
@jeffguorg jeffguorg mentioned this pull request Feb 27, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hiddeco hiddeco hiddeco approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@stefanprodan @hiddeco