Conversation
Signed-off-by: Jeremy Alvis <jeremy.alvis@solo.io>
iplay88keys
requested review from
EItanya,
ilackarms and
yuval-k
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR improves the security posture of the bundled PostgreSQL deployment in the kagent Helm chart by giving it a dedicated ServiceAccount (instead of implicitly using the namespace default SA), aligning it with the controller/UI pattern.
Changes:
- Set
serviceAccountNameon the bundled PostgreSQLDeploymentpod spec. - Add a new
postgresql-serviceaccount.yamltemplate rendered only when bundled Postgres is enabled. - Extend Helm unit tests to cover both the
serviceAccountNamewiring and conditional ServiceAccount creation.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| helm/kagent/tests/postgresql_test.yaml | Adds assertions for PostgreSQL serviceAccountName and validates ServiceAccount template rendering behavior. |
| helm/kagent/templates/postgresql.yaml | Assigns the bundled PostgreSQL pod to a dedicated ServiceAccount. |
| helm/kagent/templates/postgresql-serviceaccount.yaml | Introduces the dedicated ServiceAccount resource for bundled PostgreSQL when enabled. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
EItanya
reviewed
Mar 25, 2026
Contributor
EItanya
left a comment
EItanya
left a comment
There was a problem hiding this comment.
Why not colocate this with postgres.yaml?
Contributor
Author
No particular reason. That works for me. |
Signed-off-by: Jeremy Alvis <jeremy.alvis@solo.io>
EItanya
approved these changes
Mar 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The bundled PostgreSQL deployment was missing a
ServiceAccount. Unlike the controller and UI components, which each have a dedicatedServiceAccountand reference it viaserviceAccountNamein their pod specs, the PostgreSQL pod was running without one, falling back to thedefaultservice account in the namespace.Running pods against the
defaultservice account is a security best practice violation. It conflates identity across unrelated workloads and makes it harder to scope RBAC or audit pod-level API access. Each component should have a dedicated, least-privilege identity.