Admission controller to attach additional secrets to a service account #9902
Description
The following does not work but I would like it to:
# Make secret
$ kubectl create -f - <<EOF
apiVersion: v1
data:
thing: dGVzdAo=
kind: Secret
metadata:
name: test-secret
type: Opaque
EOF
secrets/test-secret
# Make non-default service account
$ kubectl create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-sa
EOF
serviceaccounts/test-sa
# Verify creation and get the existing token name
$ kubectl get serviceaccounts/test-sa -oyaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: 2015-06-16T21:52:39Z
name: test-sa
namespace: default
resourceVersion: "313260"
selfLink: /api/v1/namespaces/default/serviceaccounts/test-sa
uid: 02348e46-1572-12e5-afc2-41010ae0021f
secrets:
- name: test-sa-token-wr9j3
# Update service account to have another secret
$ kubectl update -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-sa
secrets:
- name: test-sa-token-wr9j3
- name: test-secret
EOF
serviceaccounts/test-sa
# Create a pod that uses test-sa and both its secrets
$ kubectl create -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: p1
spec:
containers:
- image: progrium/busybox
name: c
command: [ "ls", "-lR", "/var/run/secrets/"]
serviceAccount: test-sa
restartPolicy: Never
EOF
# Sadly, only one secret got mounted.
$kubectl get pods/p1 -oyaml | grep volumes -A 3
volumes:
- name: test-sa-token-wr9j3
secret:
secretName: test-sa-token-wr9j3
@liggitt is there a way to talk the service account controller into mounting the second secret?