search

gardener / kupid

Inject scheduling criteria into target pods orthogonally by policy definition.
Apache License 2.0
11 stars 19 forks source link

🛡 Enable `ServiceAccount` token projection #31

Closed rfranzke closed 2 years ago

rfranzke commented 2 years ago

How to categorize this PR?

/area security /kind enhancement /merge squash

What this PR does / why we need it: When the extension is running on a seed with a gardenlet of at least v1.37 then ServiceAccount token projection is enabled.

Which issue(s) this PR fixes: Part of gardener/gardener#4659 Part of gardener/gardener#4878

Release note:

The extension controller uses a projected `ServiceAccount` token in case it runs on a seed with a gardenlet of at least `v1.37` or higher.
rfranzke commented 2 years ago

/invite @BeckerMax @timebertt

rfranzke commented 2 years ago

@amshuman-kr I can't follow, the changes in the controller-registration.yaml file are auto-generated (from https://github.com/gardener/kupid/blob/399956330828f0a0e6ad17d5538b7ad529e2520f/charts/gardener-extension-kupid/doc.go#L15). Did you manually maintain this in the past?

amshuman-kr commented 2 years ago

Did you manually maintain this in the past?

I used to manually maintain the resources and deployment policy sections because I somehow couldn't get the script to generate those parts right.

rfranzke commented 2 years ago

OK, I have reverted these changes for now.

rfranzke commented 2 years ago

/invite @ashwani2k @shreyas-s-rao

gardener-robot commented 2 years ago

@ashwani2k You have pull request review open invite, please check

rfranzke commented 2 years ago

Ping, can we merge and release this, please?