Default Provider Service Account always created when overridden in ControllerConfig

[benagricola]

What happened?

Configuring provider-aws to use an existing IRSA-configured service account using the following ControllerConfig:

apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: provider-aws
spec:
  serviceAccountName: crossplane-aws-provider

We end up with our existing crossplane-aws-provider as well as an automatically created service account, which then has the ClusterRoleBinding applied to allow it to manage resources.

This means we have 1 service account with the right permissions to manage AWS resources and 1 with the right permissions to manage crossplane resources, but zero that can handle both:

$ k get sa -n crossplane-system | grep aws
aws-4ebd5d8c7cb7                              1         7m22s  # Crossplane-created with Cluster role binding
crossplane-aws-provider                       1         72m    # eksctl-created with IRSA role binding

How can we reproduce it?

Create a service account manually, use the above ControllerConfig to configure a provider and watch as you get 2 service accounts with mixed permissions.

Suggested fix

Do not create the service account if name is overridden by ControllerConfig serviceAccountName.

Ideally use the existing service account name when requesting permissions from the RBAC manager. I'm not sure if this is possible as rbac manager uses the owner reference to work out what SA to apply the binding to. When the service account is not created by crossplane, it might be necessary to add an additional check to the binding provider (linked above) to make sure it doesn't try to create a ClusterRoleBinding with no subjects.

What environment did it happen in?

Crossplane version: master on EKS

[danjo133]

I was under the impression that setting this variable would set the name of the service account to be created? Would it be possible to have that behaviour and another flag createServiceAccount to decide if it should be created or not? I would prefer if crossplane can create the service account, clusterrole and clusterrolebindings, but I can decide on the name of the service account.

The problem I'm having now is that I have a config for eksctl which has a block for IAM service accounts like so

iam:
  serviceAccounts
  - metadata:
     name: provider-aws-${randomnumbers}
     namespace: crossplane-system
     labels:
       aws-usage: "cluster-ops"
     attachPolicyARNs:
     - "arn:aws:iam::aws:policy/AdministratorAccess" # preferably your own role with less privileges.
     roleName: ${clusteridentifier}-crossplane-provider-aws
     roleOnly: true

And I would like to be able to use eksctl to create all those resources at once when creating new clusters, instead of having to first create some resources, then install the provider to get the random name and then go back and update the config and then go back to whatever else should go into the cluster.

[ONordander]

Hi, could we get any information from maintainers regarding this?
Having the ability to specify the ServiceAccount and get the correct RBAC settings would really help our usecase.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[macmiranda]

I'm still seeing the same behavior on 1.9.1