I missed one edge case in https://github.com/tumblr/k8s-sidecar-injector/pull/39 - any containers that exist in the admission requested pod before we inject a serviceAccount will already have had any VolumeMounts for the serviceaccount's token created, when automountServiceAccountToken:true. This is a bit annoying, and causes users of ServiceAccount injections to have original containers continue to use the default-token-* mount, whereas injected containers use the correct ${serviceAccountName}-token-* mount that is added by the ServiceAccountController after processing the MWAC injection.
Testing Steps
[x] Added unit tests for this feature (make test)
Reviewers
Required reviewers: @byxorna
Request reviews from other people you want to review this PR in the "Reviewers" section on the right.
:warning: this PR must have at least 2 thumbs from the MAINTAINERS.md of the project before merging!
…ing a serviceAccount
What and why?
I missed one edge case in https://github.com/tumblr/k8s-sidecar-injector/pull/39 - any containers that exist in the admission requested pod before we inject a serviceAccount will already have had any VolumeMounts for the serviceaccount's token created, when
automountServiceAccountToken:true
. This is a bit annoying, and causes users of ServiceAccount injections to have original containers continue to use thedefault-token-*
mount, whereas injected containers use the correct${serviceAccountName}-token-*
mount that is added by the ServiceAccountController after processing the MWAC injection.Testing Steps
make test
)Reviewers
Required reviewers:
@byxorna
Request reviews from other people you want to review this PR in the "Reviewers" section on the right.