🌱 Support for kube-api-access volume mount

[wondywang]

What this PR does / why we need it:
This PR continue to improve the feature gated support for VirtualCluster to work with any Kubernetes version 1.21+ and when the RootCACertConfigMap feature is enabled in 1.20 clusters. To achieve this, before creating the pPod, the content in the kube-api-access volume is changed. Change it to directly mount the tenant cluster secret instead of applying the token of the super cluster.

Before:

  volumes:
  - name: kube-api-access-sjz6l
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace

After:

  volumes:
  - name: kube-api-access-f7ww9
    projected:
      defaultMode: 420
      sources:
      - secret:
          name: default-token-v2wlt

Here is the reference to the implementation in the Kubernetes： https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/admission/serviceaccount/admission.go

Follow-up needs to be considered: After Kubernetes version 1.24+, KCM will no longer distribute ServiceAccount tokens. I plan to add a token manager in the ServiceAccount sync controller to create ServiceAccount tokens and keep them in the validity period.

Which issue(s) this PR fixes:

#282

/kind feature

[christopherhein]

This is looking great so far, this doesn’t do the TokenManagement aspects but I see your note that this can come later.

[Fei-Guo]

@wondywang.

• Please fix lint/test failures.
• Please add UTs for the change.
• Please add a feature gate to guard your change entirely.

[wondywang]

@wondywang.

• Please fix lint/test failures.
• Please add UTs for the change.
• Please add a feature gate to guard your change entirely.

Ok, I will do it. If adding a new gate, I will prefer separate out a new file. I actually thought about doing that.

[wondywang]

@Fei-Guo @christopherhein

PTAL, thanks.

[Fei-Guo]

Overall LG. Some nits.

[Fei-Guo]

Do you need the log?

[Fei-Guo]

V(6) -> V(4).

[Fei-Guo]

LGTM. @christopherhein, take another look?

[ravisantoshgudimetla]

Mostly LGTM. Thanks for working on this @wondywang

[ravisantoshgudimetla]

nit: You can use something like this here: https://github.com/kubernetes/apimachinery/blob/v0.27.4/pkg/util/wait/poll.go#L45

[wondywang]

thx @ravisantoshgudimetla. I suddenly found that the retry logic here is unnecessary. So it was removed directly.

[ravisantoshgudimetla]

Can we use automountServiceAccountToken on the pod spec?

[christopherhein]

We explicitly override this from vc-syncer so the value in the pPod should always be false, seems like if we have the vPod object we could get that value.

[ravisantoshgudimetla]

It'd be easier if you add an expected Pod after mutation as a field in this struct.

[wondywang]

hi, @ravisantoshgudimetla. I thought about it. This is not easy to implement, because the names kube-api-access-xxxx here are randomly generated by names.SimpleNameGenerator.GenerateName.

[ravisantoshgudimetla]

I see. No issues then. I was actually referring to the contents not the name.

[ravisantoshgudimetla]

Can you add 2 more test cases with auto mount enable and disabled and if possible can we check the content of this secret(token matches what we expect it to be?)

[christopherhein]

https://github.com/kubernetes-sigs/cluster-api-provider-nested/pull/348/files#r1291799079

[christopherhein]

Overall looks great, @Fei-Guo & @ravisantoshgudimetla added the same feedback I would. Thank you @wondywang for taking the lead on this.

[wondywang]

Overall looks great, @Fei-Guo & @ravisantoshgudimetla added the same feedback I would. Thank you @wondywang for taking the lead on this.

@christopherhein @ravisantoshgudimetla That's great, thanks! I will make some change later.

[ravisantoshgudimetla]

@wondywang - go-imports are failing. Can you fix and push the commit. LGTM from code standpoint.

[wondywang]

@wondywang - go-imports are failing. Can you fix and push the commit. LGTM from code standpoint.

Sorry, I've been a little busy lately. I will get it done as soon as possible. @ravisantoshgudimetla

[wondywang]

@Fei-Guo @christopherhein PTAL.

And I also update serviceAccount token manager in this commit. This part of the logic is an idea of mine (maybe not complete). Can be used as a reference. I plan not to mention PR for now. Wait for @ravisantoshgudimetla to finish it. What do you think?

wondywang@ad8545a

[christopherhein]

/lgtm

@Fei-Guo I’ll give you the chance to approve this.

cc @ravisantoshgudimetla as well, thanks!

[Fei-Guo]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Fei-Guo, wondywang

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• virtualcluster/OWNERS [Fei-Guo]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment