From 5d30456e1ad9c45bdfddeb08cfd6cb975ef5cb4c Mon Sep 17 00:00:00 2001 From: Eric Wolak Date: Wed, 3 Feb 2021 16:50:36 -0800 Subject: [PATCH] Copy serviceAccountName to affinity-assistant When a serviceAccountName is specified on a PipelineRun, all Pods that execute the constituent Tasks run with the specified ServiceAccount. If an Affinity Assistant pod is launched, it should also run with the same ServiceAccount. This ensures that cluster policies apply consistently to Tekton-launched Pods, and it avoids use of the "default" ServiceAccount that is discouraged by some Kubernetes security experts. --- .../pipelinerun/affinity_assistant.go | 12 +++++++++--- .../pipelinerun/affinity_assistant_test.go | 18 ++++++++++++++++++ 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/pkg/reconciler/pipelinerun/affinity_assistant.go b/pkg/reconciler/pipelinerun/affinity_assistant.go index baf31da6eb5..e97f89a83ee 100644 --- a/pkg/reconciler/pipelinerun/affinity_assistant.go +++ b/pkg/reconciler/pipelinerun/affinity_assistant.go @@ -139,6 +139,11 @@ func affinityAssistantStatefulSet(name string, pr *v1beta1.PipelineRun, claimNam nodeSelector = pr.Spec.PodTemplate.NodeSelector } + serviceAccount := "default" + if pr.Spec.ServiceAccountName != "" { + serviceAccount = pr.Spec.ServiceAccountName + } + containers := []corev1.Container{{ Name: "affinity-assistant", Image: affinityAssistantImage, @@ -192,9 +197,10 @@ func affinityAssistantStatefulSet(name string, pr *v1beta1.PipelineRun, claimNam Labels: getStatefulSetLabels(pr, name), }, Spec: corev1.PodSpec{ - Containers: containers, - Tolerations: tolerations, - NodeSelector: nodeSelector, + Containers: containers, + Tolerations: tolerations, + NodeSelector: nodeSelector, + ServiceAccountName: serviceAccount, Affinity: &corev1.Affinity{ PodAntiAffinity: &corev1.PodAntiAffinity{ PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{repelOtherAffinityAssistantsPodAffinityTerm}, diff --git a/pkg/reconciler/pipelinerun/affinity_assistant_test.go b/pkg/reconciler/pipelinerun/affinity_assistant_test.go index c943290f490..b0bd4401b3d 100644 --- a/pkg/reconciler/pipelinerun/affinity_assistant_test.go +++ b/pkg/reconciler/pipelinerun/affinity_assistant_test.go @@ -117,6 +117,24 @@ func TestThatCustomTolerationsAndNodeSelectorArePropagatedToAffinityAssistant(t } } +func TestThatCustomServiceAccountIsPropagatedToAffinityAssistant(t *testing.T) { + prWithCustomPodTemplate := &v1beta1.PipelineRun{ + TypeMeta: metav1.TypeMeta{Kind: "PipelineRun"}, + ObjectMeta: metav1.ObjectMeta{ + Name: "pipelinerun-with-custom-podtemplate", + }, + Spec: v1beta1.PipelineRunSpec{ + ServiceAccountName: "test-service-account", + PodTemplate: &pod.Template{}, + }, + } + + stsWithServiceAccount := affinityAssistantStatefulSet("test-assistant", prWithCustomPodTemplate, "mypvc", "nginx") + if stsWithServiceAccount.Spec.Template.Spec.ServiceAccountName != "test-service-account" { + t.Errorf("expected non-default ServiceAccountName in the StatefulSet") + } +} + func TestThatTheAffinityAssistantIsWithoutNodeSelectorAndTolerations(t *testing.T) { prWithoutCustomPodTemplate := &v1beta1.PipelineRun{ TypeMeta: metav1.TypeMeta{Kind: "PipelineRun"},