helm: add an rthooks serviceAccount section #2859
Conversation
kkourt
added
the
release-note/misc
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
kkourt
force-pushed
the
pr/kkourt/rthooks-serviceaccount
branch
2 times, most recently
from
7dfb15e
to
8169e10
Compare
|
Thanks @mtardy! pushed a new version that sets the default value of |
install/kubernetes/tetragon/templates/rthooks_serviceaccount.yaml
Outdated
Show resolved
Hide resolved
kkourt
force-pushed
the
pr/kkourt/rthooks-serviceaccount
branch
from
8169e10
to
d9ce585
Compare
|
Thanks Mahé! pushed a new version, PTAL. |
tested via:
helm template tetragon --set rthooks.enabled=true --set rthooks.interface=nri-hook ./install/kubernetes/tetragon | sed -n '/^.*tetragon\/templates\/rthooks-daemonset.yaml/,/^---$/p' | grep serviceAccountName
helm template tetragon --set rthooks.enabled=true --set rthooks.interface=nri-hook --set rthooks.serviceAccount.name=pizza ./install/kubernetes/tetragon | sed -n '/^.*tetragon\/templates\/rthooks-daemonset.yaml/,/^---$/p' | grep serviceAccountName
serviceAccountName: pizza
Signed-off-by: Kornilios Kourtis <[email protected]>
kkourt
force-pushed
the
pr/kkourt/rthooks-serviceaccount
branch
from
d9ce585
to
d1dc341
Compare
|
Pushed a new version due to conflicts. |
| @@ -395,3 +395,6 @@ rthooks: | |||
| override: ~ | |||
| repository: quay.io/cilium/tetragon-rthooks | |||
| tag: v0.3 | |||
| # -- rthooks service account. | |||
| serviceAccount: | |||
There was a problem hiding this comment.
IIRC in the previous version the default was the release name, like for the agent.
With the new version you don't get the credentials of the tetragon SA to access the API. An alternative approach to achieve the same is with adding automountServiceAccountToken: false to spec.template.spec of the rthooks daemonset. This may be very specific to OpenShift but the SA identity will be checked for admitting a pod using hostpath. Both the agent and the rthooks daemonset need it, which means that their respective SAs need to be bound to a convenient SCC.
The answer may be documentation but I wanted to mention this point.
There was a problem hiding this comment.
With the new version you don't get the credentials of the tetragon SA to access the API
API here being the k8s API server, correct? I think that's fine since rthooks does not need access to the API server. I think I'll just merge the change for now. Once/if we have a concrete problem, it would be easier to figure it out then.
Thanks!
No description provided.