search

projectsyn / lieutenant-api

The Project Syn Kubernetes Cluster and Tenants Inventory API
https://docs.syn.tools/lieutenant-api/
BSD 3-Clause "New" or "Revised" License
9 stars 1 forks source link

Update `getServiceAccountToken()` to work correctly on Kubernetes 1.24+ #185

Closed simu closed 2 years ago

simu commented 2 years ago

Context

Kubernetes 1.24+ doesn't create service account token secrets by default anymore. Additionally, when creating a token secret explicitly, the secret isn't added to field secrets in the ServiceAccount object.

We need to update getServiceAccountToken() to no longer find the token secret via the service account's secrets field, but instead by looking at the secret's kubernetes.io/service-account.name or kubernetes.io/service-account.uid annotations.

Since existing ServiceAccount token secrets already have those annotations (at least secrets created on Kubernetes 1.22+), we don't need to have multiple ways to lookup secrets based on whether the ServiceAccount and token secret were created on 1.24 or before.

Alternatives

Extend the operator to add the manually created secret to the ServiceAccount's secrets field.

liggitt commented 2 years ago

Extend the operator to add the manually created secret to the ServiceAccount's secrets field.

unless you are mounting the manually created token into a pod, you should not add it to this list... this list is only for listing secrets that can be mounted into pods running as that service account