-
Notifications
You must be signed in to change notification settings - Fork 38.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add pull secrets to service accounts #8582
add pull secrets to service accounts #8582
Conversation
secretRefs := []api.LocalObjectReference{} | ||
secretRefs = append(secretRefs, pod.Spec.ImagePullSecrets...) | ||
|
||
if len(pod.Spec.ServiceAccount) > 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should the merge happen here or in the serviceaccounts admission controller?
915d98a
to
3d494e9
Compare
} | ||
for i, pullSecretRef := range pod.Spec.ImagePullSecrets { | ||
if !pullSecrets.Has(pullSecretRef.Name) { | ||
return fmt.Errorf(`imagePullSecrets["%d"].name="%s" is not allowed because service account %s does not reference that imagePullSecret`, i, pullSecretRef.Name, serviceAccount.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't quote the index in ["%d"]
def6e73
to
dce9035
Compare
comment addressed. |
I am stoked that this in progress, won't have review bw until tomorrow
|
@@ -186,6 +187,10 @@ func (s *serviceAccount) Admit(a admission.Attributes) (err error) { | |||
} | |||
} | |||
|
|||
if len(pod.Spec.ImagePullSecrets) == 0 { | |||
pod.Spec.ImagePullSecrets = serviceAccount.ImagePullSecrets |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should copy these, otherwise they could be modified.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should copy these, otherwise they could be modified.
Done.
Can one of the admins verify that this patch is reasonable to test? (reply "ok to test", or if you trust the user, reply "add to whitelist") If this message is too spammy, please complain @ixdy. |
This is new. Is it similar to [test] in openshift? That would be awesome. |
@deads2k it's intended to automatically run the e2e tests against GCE on our internal Jenkins instance. It's still a WIP, and was way spammier than I intended when I turned it on. It should be tuned now to only update the commit status (similar to Travis/Shippable) rather than spamming comments all the time. Right now all it will do is just build everything, but I hope to turn on running tests sometime tomorrow. |
That would be awesome. I'd really like rights to use it. Being able to do some e2e checks and another option run the whole e2e bucket would also be a nice to have feature. |
dce9035
to
f108465
Compare
@k8s-bot ok to test |
@pmorie surely you trust the user..... :) |
err := admit.Admit(attrs) | ||
if err != nil { | ||
t.Errorf("Unexpected error: %v", err) | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be nice to mutate the pod's secret name and make sure the service account's secret name doesn't change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would be nice to mutate the pod's secret name and make sure the service account's secret name doesn't change.
check added.
5206874
to
590bd04
Compare
This PR LGTM, @lavalamp, I'll leave it to you to tag. |
LGTM |
bump? |
LGTM as well |
Rerunning Travis then will merge |
Oh wait, on call is doing merges now. Leaving it, David, ping the on call when they get up. |
It looks like there's half a dozen PRs in the queue ahead of you, sorry. |
@lavalamp any chance someone can take a look at this one tomorrow? |
Nvm, @a-robinson explained the situation w/ the merge hangover from last week. |
…ount add pull secrets to service accounts
This adds
ImagePullSecrets
to theServiceAccount
type and restricts a pod's ability to referenceImagePullSecrets
. If a pod lacksImagePullSecrets
, but has a service account that referencesImagePullSecrets
, the pod gets its list from the service account.ImagePullSecrets
is distinct from theSecrets
on aServiceAccount
becauseSecrets
may be mounted into the pod, butImagePullSecrets
are only available the kubelet.@lavalamp Since you reviewed the pod pull secrets
@liggitt because it touches service accounts
/cc @smarterclayton @pmorie