chore(kuma-cp) check explicit service account name (#3228)

Signed-off-by: Jakub Dyszkiewicz <jakub.dyszkiewicz@gmail.com>

app/kumactl/cmd/install/testdata/install-control-plane.cni-enabled.golden.yaml

@@ -1140,6 +1140,8 @@ spec:
               value: "true"
             - name: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
               value: "docker.io/kumahq/kuma-dp:0.0.1"
+            - name: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
+              value: "system:serviceaccount:kuma-system:kuma-control-plane"
             - name: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
               value: "kuma-system"
             - name: KUMA_STORE_TYPE

app/kumactl/cmd/install/testdata/install-control-plane.defaults.golden.yaml

@@ -965,6 +965,8 @@ spec:
               value: "false"
             - name: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
               value: "docker.io/kumahq/kuma-dp:0.0.1"
+            - name: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
+              value: "system:serviceaccount:kuma-system:kuma-control-plane"
             - name: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
               value: "kuma-system"
             - name: KUMA_STORE_TYPE

app/kumactl/cmd/install/testdata/install-control-plane.global.golden.yaml

@@ -974,6 +974,8 @@ spec:
               value: "false"
             - name: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
               value: "docker.io/kumahq/kuma-dp:0.0.1"
+            - name: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
+              value: "system:serviceaccount:kuma-system:kuma-control-plane"
             - name: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
               value: "kuma-system"
             - name: KUMA_STORE_TYPE

app/kumactl/cmd/install/testdata/install-control-plane.override-env-vars.golden.yaml

@@ -965,6 +965,8 @@ spec:
               value: "false"
             - name: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
               value: "docker.io/kumahq/kuma-dp:0.0.1"
+            - name: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
+              value: "system:serviceaccount:kuma-system:kuma-control-plane"
             - name: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
               value: "kuma-system"
             - name: KUMA_STORE_TYPE

app/kumactl/cmd/install/testdata/install-control-plane.overrides.golden.yaml

@@ -985,6 +985,8 @@ spec:
               value: "false"
             - name: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
               value: "kuma-ci/kuma-dp:greatest"
+            - name: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
+              value: "system:serviceaccount:kuma:kuma-control-plane"
             - name: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
               value: "kuma"
             - name: KUMA_STORE_TYPE

app/kumactl/cmd/install/testdata/install-control-plane.with-ingress.golden.yaml

@@ -994,6 +994,8 @@ spec:
               value: "false"
             - name: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
               value: "docker.io/kumahq/kuma-dp:0.0.1"
+            - name: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
+              value: "system:serviceaccount:kuma-system:kuma-control-plane"
             - name: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
               value: "kuma-system"
             - name: KUMA_STORE_TYPE

app/kumactl/cmd/install/testdata/install-control-plane.zone.golden.yaml

@@ -973,6 +973,8 @@ spec:
               value: "false"
             - name: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE
               value: "docker.io/kumahq/kuma-dp:0.0.1"
+            - name: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
+              value: "system:serviceaccount:kuma-system:kuma-control-plane"
             - name: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE
               value: "kuma-system"
             - name: KUMA_STORE_TYPE

deployments/charts/kuma/templates/_helpers.tpl

@@ -160,6 +160,8 @@ env:
 {{- end }}
 - name: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN
   value: "false"
+- name: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
+  value: "system:serviceaccount:{{ .Release.Namespace }}:{{ include "kuma.name" . }}-control-plane"
 {{- end }}
 
 {{/*

pkg/api-server/config_ws_test.go

@@ -187,6 +187,7 @@ var _ = Describe("Config WS", func() {
 				"port": 5443
 			  },
 			  "controlPlaneServiceName": "kuma-control-plane",
+			  "serviceAccountName": "system:serviceaccount:kuma-system:kuma-control-plane",
 			  "injector": {
 				"caCertFile": "",
 				"builtinDNS": {

pkg/config/app/kuma-cp/kuma-cp.defaults.yaml

@@ -153,7 +153,9 @@ runtime:
   # Kubernetes-specific configuration
   kubernetes:
     # Service name of the Kuma Control Plane. It is used to point Kuma DP to proper URL.
-    controlPlaneServiceName: kuma-control-plane
+    controlPlaneServiceName: kuma-control-plane # ENV: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME
+    # Name of Service Account that is used to run the Control Plane
+    serviceAccountName: "system:serviceaccount:kuma-system:kuma-control-plane" # ENV: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME
     # Admission WebHook Server configuration
     admissionServer:
       # Address the Admission WebHook Server should be listening on

pkg/config/loader_test.go

@@ -139,6 +139,7 @@ var _ = Describe("Config loader", func() {
 			Expect(cfg.MonitoringAssignmentServer.ApiVersions).To(ContainElements("v1"))
 
 			Expect(cfg.Runtime.Kubernetes.ControlPlaneServiceName).To(Equal("custom-control-plane"))
+			Expect(cfg.Runtime.Kubernetes.ServiceAccountName).To(Equal("custom-sa"))
 
 			Expect(cfg.Runtime.Kubernetes.AdmissionServer.Address).To(Equal("127.0.0.2"))
 			Expect(cfg.Runtime.Kubernetes.AdmissionServer.Port).To(Equal(uint32(9443)))
@@ -317,6 +318,7 @@ runtime:
   universal:
     dataplaneCleanupAge: 1h
   kubernetes:
+    serviceAccountName: custom-sa
     controlPlaneServiceName: custom-control-plane
     admissionServer:
       address: 127.0.0.2
@@ -505,6 +507,7 @@ access:
 				"KUMA_MONITORING_ASSIGNMENT_SERVER_ASSIGNMENT_REFRESH_INTERVAL":                            "12s",
 				"KUMA_REPORTS_ENABLED":                                                                     "false",
 				"KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME":                                       "custom-control-plane",
+				"KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME":                                             "custom-sa",
 				"KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_ADDRESS":                                         "127.0.0.2",
 				"KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT":                                            "9443",
 				"KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_CERT_DIR":                                        "/var/run/secrets/kuma.io/kuma-admission-server/tls-cert",

pkg/config/plugins/runtime/k8s/config.go

@@ -16,6 +16,7 @@ func DefaultKubernetesRuntimeConfig() *KubernetesRuntimeConfig {
 			Port: 5443,
 		},
 		ControlPlaneServiceName: "kuma-control-plane",
+		ServiceAccountName:      "system:serviceaccount:kuma-system:kuma-control-plane",
 		Injector: Injector{
 			CNIEnabled:           false,
 			VirtualProbesEnabled: true,
@@ -87,6 +88,8 @@ type KubernetesRuntimeConfig struct {
 	// marshaled objects will be stored in the cache. If equal to 0s then
 	// cache is turned off
 	MarshalingCacheExpirationTime time.Duration `yaml:"marshalingCacheExpirationTime" envconfig:"kuma_runtime_kubernetes_marshaling_cache_expiration_time"`
+	// Name of Service Account that is used to run the Control Plane
+	ServiceAccountName string `yaml:"serviceAccountName,omitempty" envconfig:"kuma_runtime_kubernetes_service_account_name"`
 	// ControlPlaneServiceName defines service name of the Kuma control plane. It is used to point Kuma DP to proper URL.
 	ControlPlaneServiceName string `yaml:"controlPlaneServiceName,omitempty" envconfig:"kuma_runtime_kubernetes_control_plane_service_name"`
 }

pkg/config/plugins/runtime/k8s/testdata/default-config.golden.yaml

@@ -48,4 +48,5 @@ injector:
     enabled: true
     port: 15053
 marshalingCacheExpirationTime: 5m0s
+serviceAccountName: system:serviceaccount:kuma-system:kuma-control-plane
 controlPlaneServiceName: kuma-control-plane

pkg/plugins/runtime/k8s/plugin.go

@@ -234,7 +234,7 @@ func addValidators(mgr kube_ctrl.Manager, rt core_runtime.Runtime, converter k8s
 		return errors.Errorf("could not find composite validator in the extensions context")
 	}
 
-	handler := k8s_webhooks.NewValidatingWebhook(converter, core_registry.Global(), k8s_registry.Global(), rt.Config().Mode, rt.Config().Store.Kubernetes.SystemNamespace)
+	handler := k8s_webhooks.NewValidatingWebhook(converter, core_registry.Global(), k8s_registry.Global(), rt.Config().Mode, rt.Config().Runtime.Kubernetes.ServiceAccountName)
 	composite.AddValidator(handler)
 
 	k8sMeshValidator := k8s_webhooks.NewMeshValidatorWebhook(rt.MeshValidator(), converter, rt.ResourceManager())

pkg/plugins/runtime/k8s/webhooks/validation.go

@@ -24,23 +24,23 @@ import (
 	"github.com/kumahq/kuma/pkg/version"
 )
 
-func NewValidatingWebhook(converter k8s_common.Converter, coreRegistry core_registry.TypeRegistry, k8sRegistry k8s_registry.TypeRegistry, mode core.CpMode, systemNamespace string) k8s_common.AdmissionValidator {
+func NewValidatingWebhook(converter k8s_common.Converter, coreRegistry core_registry.TypeRegistry, k8sRegistry k8s_registry.TypeRegistry, mode core.CpMode, cpServiceAccountName string) k8s_common.AdmissionValidator {
 	return &validatingHandler{
-		coreRegistry:    coreRegistry,
-		k8sRegistry:     k8sRegistry,
-		converter:       converter,
-		mode:            mode,
-		systemNamespace: systemNamespace,
+		coreRegistry:         coreRegistry,
+		k8sRegistry:          k8sRegistry,
+		converter:            converter,
+		mode:                 mode,
+		cpServiceAccountName: cpServiceAccountName,
 	}
 }
 
 type validatingHandler struct {
-	coreRegistry    core_registry.TypeRegistry
-	k8sRegistry     k8s_registry.TypeRegistry
-	converter       k8s_common.Converter
-	decoder         *admission.Decoder
-	mode            core.CpMode
-	systemNamespace string
+	coreRegistry         core_registry.TypeRegistry
+	k8sRegistry          k8s_registry.TypeRegistry
+	converter            k8s_common.Converter
+	decoder              *admission.Decoder
+	mode                 core.CpMode
+	cpServiceAccountName string
 }
 
 func (h *validatingHandler) InjectDecoder(d *admission.Decoder) error {
@@ -104,7 +104,7 @@ func (h *validatingHandler) decode(req admission.Request) (core_model.Resource,
 
 // Note that this func does not validate ConfigMap and Secret since this webhook does not support those
 func (h *validatingHandler) isOperationAllowed(resType core_model.ResourceType, userInfo authenticationv1.UserInfo, op v1.Operation) admission.Response {
-	if isKumaServiceAccount(userInfo, h.systemNamespace) {
+	if userInfo.Username == h.cpServiceAccountName {
 		// Assume this means sync from another zone. Not security; protecting user from self.
 		return admission.Allowed("")
 	}
@@ -149,15 +149,6 @@ func syncErrorResponse(resType core_model.ResourceType, cpMode core.CpMode, op v
 	}
 }
 
-func isKumaServiceAccount(userInfo authenticationv1.UserInfo, systemNamespace string) bool {
-	elms := strings.Split(userInfo.Username, ":")
-	// system:serviceaccount:<namespace>:kuma-control-plane
-	if len(elms) == 4 && elms[2] == systemNamespace {
-		return true
-	}
-	return false
-}
-
 // validateResourceLocation validates if resources that suppose to be applied on Global are applied on Global and other way around
 func (h *validatingHandler) validateResourceLocation(resType core_model.ResourceType) admission.Response {
 	if err := system.ValidateLocation(resType, h.mode); err != nil {

pkg/plugins/runtime/k8s/webhooks/validation_test.go

@@ -44,7 +44,7 @@ var _ = Describe("Validation", func() {
 		func(given testCase) {
 			// given
 			webhook := &kube_admission.Webhook{
-				Handler: webhooks.NewValidatingWebhook(converter, core_registry.Global(), k8s_registry.Global(), given.mode, "kuma-system"),
+				Handler: webhooks.NewValidatingWebhook(converter, core_registry.Global(), k8s_registry.Global(), given.mode, "system:serviceaccount:kuma-system:kuma-control-plane"),
 			}
 			Expect(webhook.InjectScheme(scheme)).To(Succeed())
 
@@ -128,7 +128,7 @@ var _ = Describe("Validation", func() {
 		Entry("should pass validation for synced policy from Global to Zone", testCase{
 			mode:        core.Zone,
 			objTemplate: &mesh_proto.TrafficRoute{},
-			username:    "system:serviceaccount:kuma-system:mesh",
+			username:    "system:serviceaccount:kuma-system:kuma-control-plane",
 			obj: `
             {
               "apiVersion":"kuma.io/v1alpha1",
@@ -491,7 +491,7 @@ var _ = Describe("Validation", func() {
 		Entry("should fail validation on missing mesh object", testCase{
 			mode:        core.Zone,
 			objTemplate: &mesh_proto.TrafficRoute{},
-			username:    "system:serviceaccount:kuma-system:mesh",
+			username:    "system:serviceaccount:kuma-system:kuma-control-plane",
 			obj: `
             {
               "apiVersion":"kuma.io/v1alpha1",