Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The pods started by mysql operator use default service account #274

Open
surajssd opened this issue Mar 26, 2019 · 4 comments
Open

The pods started by mysql operator use default service account #274

surajssd opened this issue Mar 26, 2019 · 4 comments

Comments

@surajssd
Copy link
Contributor

The pods started by the mysql-operator as a part of mysql cluster have service account default. Rather they should have their own dedicated service account created and assigned.
@AMecea
Copy link
Contributor

AMecea commented Apr 2, 2019

This is a nice observation. I've already opened a PR that allows specifying on the cluster the service account name, #286.

What do you think?

@AMecea AMecea added this to the 0.3.0 milestone Apr 2, 2019
@surajssd
Copy link
Contributor Author

surajssd commented Apr 4, 2019

The code wise extension looks good to me, what I also trying to solve with this is making mysql operator related all pods run within an environment that has PSP enabled.

And hence #258 #291 and this issue #274 are baby steps towards it. So having a broader picture of how we can automatically install PSP if needed when doing this could be of help. Not sure if the PSP needed for the mysql cluster pods should be installed by the operator or by the chart itself.

@calind
Copy link
Member

calind commented Apr 11, 2019

Continuing here from the discussions on #286. The current proposed solution is:

  1. Add --default-cluster-service-account cli option, which defaults to mysql-cluster
  2. If user doesn't specify any serviceAccountName use the one from options

@calind calind mentioned this issue Apr 11, 2019
Merged
@AMecea AMecea modified the milestones: 0.3.0, 0.3.x May 10, 2019
@marratj
Copy link
Contributor

marratj commented Jun 28, 2019
edited
Loading

Hi, as we are currently testing out the MySQL operator in our environment and also want to take advantage of specifying the Service Account of the Cluster Pods:

Does this also affect the sidecar Pods (e.g. for taking backups)?

We'd like to use the new "Workload Identity" Feature of GKE, which maps Kubernetes SAs directly to GCP IAM SAs.

For this we ideally need two things:

  • Have a different service account than default also for the sidecar (as we don't want to map the GCP SA with write access to our GCS bucket to the default SA in the namespace)
  • Make rclone in the sidecar image use gcloud application default credentials (we have rebuilt the sidecar image for this, which just omits the service account file option so that rclone uses default credentials with which the Pod is running)

EDIT: actually I mean the Pods that are generated by the MysqlBackup jobs need to be able to have a different serviceAccountName for this.

@marratj marratj mentioned this issue Jul 8, 2019
Merged
@AMecea AMecea removed this from the 0.3.x milestone Oct 23, 2020
chapsuk pushed a commit to chapsuk/mysql-operator that referenced this issue Oct 16, 2023
@GuptaManan100
feat: changes for vitess operator release-2.7.1 (bitpoke#274)
aa8a0ce 
Signed-off-by: Manan Gupta <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@calind @marratj @surajssd @AMecea