Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow setting a default service account for impersonation #550

Merged
merged 1 commit into from
Jan 31, 2022

Conversation

stefanprodan
Copy link
Member

@stefanprodan stefanprodan commented Jan 27, 2022

Introduce the flag --default-service-account for allowing cluster admins to enforce impersonation across the cluster without having to use an admission controller.

When the flag is set to a value that's not empty string, all Kustomizations which don't have spec.serviceAccountName specified, they will use the service account name provided by --default-service-account=<SA Name> in the namespace of the object.

Breaking changes:

  • When --default-service-account=<SA name> and/or spec.ServiceAccountName are specified, the controller no longer queries the API to extract and use the SA token. Instead, the controller relies on the Kubernetes impersonation feature to run the reconciliation under the system:serviceaccount:<SA Namespace>:<SA Name> identity. This impacts only clusters with custom made tokens and automountServiceAccountToken disabled. If a service account token points to a different identity (which should never be the case), then the controller will fail to reconcile with Forbidden : User "system:serviceaccount:my-namespace:my-sa-name" cannot patch resource.
  • When both spec.kubeConfig and spec.ServiceAccountName are specified, the controller will impersonate the service account on the target cluster, previously the controller ignored the service account.

Fix: #422
Part of: fluxcd/flux2#2340

@stefanprodan stefanprodan added the enhancement New feature or request label Jan 27, 2022
@squaremo
Copy link
Member

  • When --default-service-account=<SA name> and/or spec.ServiceAccountName are specified, the controller no longer queries the API to extract and use the SA token. Instead, the controller relies on the Kubernetes impersonation feature to run the reconciliation under the system:serviceaccount:<SA Namespace>:<SA Name> identity.

I'm not clear on how this is a breaking change -- isn't the result the same?

@stefanprodan
Copy link
Member Author

I'm not clear on how this is a breaking change -- isn't the result the same?

Indeed the result is the same, but the operations needed to achieve the result have drastically changed.

@squaremo
Copy link
Member

Indeed the result is the same,

So does it break anything?

@stefanprodan
Copy link
Member Author

stefanprodan commented Jan 27, 2022

So does it break anything?

Yes, if people have disabled the automated token creation for their service accounts, and they are setting the token in the attached secret by hand, then this PR will break their setup, as we no longer use tokens.

@squaremo
Copy link
Member

if people have disabled the automated token creation for their service accounts, and they are setting the token in the attached secret by hand, then this PR will break their setup, as we no longer use tokens.

That's what you should say in the description (commit, docs, changelog) :-)

@stefanprodan stefanprodan force-pushed the default-service-account branch from fdee71c to e35a5c9 Compare January 27, 2022 12:32
Introduce the flag `--default-service-account` for allowing cluster admins to enforce impersonation for resources reconciliation.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
@stefanprodan stefanprodan force-pushed the default-service-account branch from e35a5c9 to 4d7cba9 Compare January 27, 2022 16:25
@stefanprodan stefanprodan merged commit 4b59d77 into main Jan 31, 2022
@stefanprodan stefanprodan deleted the default-service-account branch January 31, 2022 09:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Multi-tenancy enforcement settings
4 participants