Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

⚠️ Use custom service accounts instead of default for controllers #1210

Merged
merged 1 commit into from
Mar 10, 2021
Merged

⚠️ Use custom service accounts instead of default for controllers #1210

merged 1 commit into from
Mar 10, 2021

Conversation

furkatgofurov7
Copy link
Member

@furkatgofurov7 furkatgofurov7 commented Mar 4, 2021
edited by CecileRobertMichon
Loading

What type of PR is this?
/kind feature

What this PR does / why we need it:
Uses a dedicated service account for each CAPZ controller (instead of default)

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #1206

Special notes for your reviewer:

Please have a look thoroughly, in case I missed some important points to update in the PR. Thanks!.

TODOs:

  • squashed commits
  • includes documentation
  • adds unit tests

Release note:

⚠️ Use custom service accounts instead of default for controllers

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. area/provider/azure Issues or PRs related to azure provider labels Mar 4, 2021
@k8s-ci-robot k8s-ci-robot added the sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. label Mar 4, 2021
@k8s-ci-robot
Copy link
Contributor

Hi @furkatgofurov7. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Mar 4, 2021
@furkatgofurov7
Copy link
Member Author

/cc @CecileRobertMichon @nader-ziada

@nprokopic
Copy link
Contributor

Should the service account for aad-pod-identity be updated as well? https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/master/config/default/aad-pod-identity-deployment.yaml#L65-L67

@furkatgofurov7
Copy link
Member Author

Should the service account for aad-pod-identity be updated as well? https://github.com/kubernetes-sigs/cluster-api-provider-azure/blob/master/config/default/aad-pod-identity-deployment.yaml#L65-L67

@nprokopic hi! Thanks for the suggestion. I was mainly following kubernetes-sigs/cluster-api/4245 and it changes only the SAs' in the system namespace, so I haven't touched it. But please do let me know if I am misunderstanding it.

@nprokopic
Copy link
Contributor

I was mainly following kubernetes-sigs/cluster-api/4245 and it changes only the SAs' in the system namespace

I believe that the changes are for the default service account in multiple namespaces with names ending with -system (there is some kustomize templating involved).

Here are the default service accounts from *-system namespaces before the above linked CAPI change:

$ kubectl get serviceaccount -A | grep default | grep system
capi-kubeadm-bootstrap-system       default                              1         28d
capi-kubeadm-control-plane-system   default                              1         28d
capi-system                         default                              1         28d
capi-webhook-system                 default                              1         28d
capz-system                         default                              1         28d
kube-system                         default                              1         28d

So I believe that in CAPZ we should also update the aad-pod-identity deployment which is currently using default service account for capz-system namespace, that is of course unless aad-pod-identity doesn't have some specific requirements and it needs the default service account.

@nader-ziada
Copy link
Contributor

So I believe that in CAPZ we should also update the aad-pod-identity deployment which is currently using default service account for capz-system namespace, that is of course unless aad-pod-identity doesn't have some specific requirements and it needs the default service account.

agree that aad-pod-identity service account should be updated as well

@nader-ziada
Copy link
Contributor

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Mar 5, 2021
@furkatgofurov7 furkatgofurov7 force-pushed the furkat/use-individual-sa branch from 05ac2be to 7eeff02 Compare March 5, 2021 15:23
@furkatgofurov7
Copy link
Member Author

@nprokopic thanks for spotting this up, fixed it.

@furkatgofurov7
Copy link
Member Author

Seems a CI flakiness, re-triggering.

/retest

@nader-ziada
Copy link
Contributor

/test pull-cluster-api-provider-azure-e2e

nprokopic
nprokopic reviewed Mar 9, 2021
View reviewed changes
config/default/aad-pod-identity-deployment.yaml
@@ -63,7 +63,7 @@ metadata:
k8s-app: capz-aad-pod-id-nmi-binding
subjects:
- kind: ServiceAccount
name: default
name: manager
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The account that is set here I believe it should also be set in aad-pod-identity NMI DaemonSet .Spec.Template.Spec.ServiceAccountName field (in this same file), which is currently set to default.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Set it to manager. PTAL.

@furkatgofurov7 furkatgofurov7 force-pushed the furkat/use-individual-sa branch from 7eeff02 to eceb123 Compare March 10, 2021 08:29
@furkatgofurov7 furkatgofurov7 force-pushed the furkat/use-individual-sa branch from eceb123 to ccec4c0 Compare March 10, 2021 16:18
@nader-ziada
Copy link
Contributor

/lgtm

@CecileRobertMichon PTAL

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Mar 10, 2021
@CecileRobertMichon
Copy link
Contributor

CecileRobertMichon commented Mar 10, 2021
edited
Loading

should this be marked as a breaking change? I see the corresponding CAPI commit is breaking

kubernetes-sigs/cluster-api#4245

@furkatgofurov7 furkatgofurov7 changed the title Use custom service accounts instead of default for controllers ⚠️ Use custom service accounts instead of default for controllers Mar 10, 2021
@furkatgofurov7
Copy link
Member Author

@CecileRobertMichon done!

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Mar 10, 2021
CecileRobertMichon
CecileRobertMichon approved these changes Mar 10, 2021
View reviewed changes
Copy link
Contributor

@CecileRobertMichon CecileRobertMichon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CecileRobertMichon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 10, 2021
@k8s-ci-robot k8s-ci-robot merged commit 534db6c into kubernetes-sigs:master Mar 10, 2021
@k8s-ci-robot k8s-ci-robot added this to the v0.5.0 milestone Mar 10, 2021
@nprokopic nprokopic mentioned this pull request Aug 6, 2021
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nader-ziada nader-ziada nader-ziada left review comments

@nprokopic nprokopic nprokopic left review comments

@CecileRobertMichon CecileRobertMichon CecileRobertMichon approved these changes

@alexeldeib alexeldeib Awaiting requested review from alexeldeib

@cpanato cpanato Awaiting requested review from cpanato

Assignees

@nader-ziada nader-ziada

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/azure Issues or PRs related to azure provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v0.5.0
Development

Successfully merging this pull request may close these issues.

Use custom service accounts instead of default for controllers
5 participants
@furkatgofurov7 @k8s-ci-robot @nprokopic @nader-ziada @CecileRobertMichon