search

banzaicloud / thanos-operator

Kubernetes operator for deploying Thanos
Apache License 2.0
280 stars 48 forks source link

ServiceAccount defaults to 'default' when creating operated resources #39

Open PeterGrace opened 4 years ago

PeterGrace commented 4 years ago

Describe the bug Operated resources are created without a serviceAccount specified, causing the resources to use the default service account for the namespace. In many environments with restrictive pod security policies, service accounts are created with least privilege necessary to instantiate resources.

Steps to reproduce the issue: Create any object-kind in thanos-operator that prompts the generation of a deployment, see that said resource is running in 'default' service account instead of the service account installed with the helm chart.

Expected behavior The thanos-operator would utilize the service account generated by the helm chart, or have the ability to specify the service account to be used when creating operated resources.

Screenshots

ns/monitoring       pod/thanos-operator-6cf7b55df6-jjv6v                                 sa/thanos-operator                               psp/readwritefs                                   state/Running
ns/monitoring       pod/thanos-objstore-bucket-546478d96c-xqzbq                          sa/default                                       psp/restricted                                    state/PendingCreateContainerConfigError
ns/monitoring       pod/thanos-objstore-compactor-5ffd7b764b-9tjjt                       sa/default                                       psp/restricted                                    state/PendingCreateContainerConfigError

Additional context Utilizing helm-chart version 0.1.0 / operator version banzaicloud/thanos-operator:0.1.0

roulettedares commented 3 years ago

i was able to use the thanos-operator service account in the objectstore-bucket and objectstore-compactor deployments:

apiVersion: monitoring.banzaicloud.io/v1alpha1
kind: ObjectStore
metadata:
  name: objectstore
spec:
  config:
    mountFrom:
      secretKeyRef:
        name: thanos
        key: object-store.yaml
  bucketWeb:
    label: cluster
    deploymentOverrides:
      spec:
       template:
        spec:
          serviceAccountName: {{ include "thanos-operator-stack.serviceAccountName" $ }}
  {{- with index .Values "thanos-operator" "compact" }}
  compactor:
    deploymentOverrides:
      spec:
        template:
          spec:
            serviceAccountName: {{ include "thanos-operator-stack.serviceAccountName" $ }}

I can't figure out how to customize the storeendpoint-store service account which blocks me from leveraging gcp workload identity.