HOSTEDCP-1308: Add e2e to ensure SA token not mounted on mgmt workloa…

…ds unless necessary
openshift · Jan 8, 2024 · 576cbae · 576cbae
1 parent 91d567f
commit 576cbae
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 23 deletions.
diff --git a/control-plane-operator/controllers/hostedcontrolplane/cloud/aws/reconcile.go b/control-plane-operator/controllers/hostedcontrolplane/cloud/aws/reconcile.go
@@ -2,6 +2,7 @@ package aws
 
 import (
 	"fmt"
+	k8sutilspointer "k8s.io/utils/pointer"
 
 	hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1"
 	"github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/imageprovider"
@@ -36,8 +37,9 @@ func ReconcileDeployment(deployment *appsv1.Deployment, hcp *hyperv1.HostedContr
 				Containers: []corev1.Container{
 					util.BuildContainer(ccmContainer(), buildCCMContainer(releaseImageProvider.GetImage("aws-cloud-controller-manager"))),
 				},
-				Volumes:            []corev1.Volume{},
-				ServiceAccountName: serviceAccountName,
+				Volumes:                      []corev1.Volume{},
+				ServiceAccountName:           serviceAccountName,
+				AutomountServiceAccountToken: k8sutilspointer.Bool(false),
 			},
 		},
 	}

diff --git a/control-plane-operator/controllers/hostedcontrolplane/etcd/reconcile.go b/control-plane-operator/controllers/hostedcontrolplane/etcd/reconcile.go
@@ -181,6 +181,8 @@ func ReconcileStatefulSet(ss *appsv1.StatefulSet, p *EtcdParams) error {
 		},
 	}
 
+	ss.Spec.Template.Spec.AutomountServiceAccountToken = pointer.Bool(false)
+
 	p.DeploymentConfig.ApplyToStatefulSet(ss)
 
 	return nil

diff --git a/test/e2e/util/hypershift_framework.go b/test/e2e/util/hypershift_framework.go
@@ -121,6 +121,7 @@ func (h *hypershiftTest) after(hostedCluster *hyperv1.HostedCluster, opts *core.
 		if platform == hyperv1.AWSPlatform {
 			EnsureHCPPodsAffinitiesAndTolerations(t, context.Background(), h.client, hostedCluster)
 		}
+		EnsureSATokenNotMountedUnlessNecessary(t, context.Background(), h.client, hostedCluster)
 	})
 }
 

diff --git a/test/e2e/util/util.go b/test/e2e/util/util.go
@@ -52,6 +52,25 @@ import (
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+var expectedKasManagementComponents = []string{
+	"cluster-network-operator",
+	"ignition-server",
+	"cluster-storage-operator",
+	"csi-snapshot-controller-operator",
+	"machine-approver",
+	"cluster-autoscaler",
+	"cluster-node-tuning-operator",
+	"capi-provider-controller-manager",
+	"capi-provider",
+	"cluster-api",
+	"control-plane-operator",
+	"control-plane-pki-operator",
+	"hosted-cluster-config-operator",
+	"cloud-controller-manager",
+	"olm-collect-profiles",
+	"aws-ebs-csi-driver-operator",
+}
+
 func UpdateObject[T crclient.Object](t *testing.T, ctx context.Context, client crclient.Client, original T, mutate func(obj T)) error {
 	return wait.PollImmediateWithContext(ctx, time.Second, time.Minute*1, func(ctx context.Context) (done bool, err error) {
 		if err := client.Get(ctx, crclient.ObjectKeyFromObject(original), original); err != nil {
@@ -755,28 +774,8 @@ func EnsureNetworkPolicies(t *testing.T, ctx context.Context, c crclient.Client,
 
 		hcpNamespace := manifests.HostedControlPlaneNamespace(hostedCluster.Namespace, hostedCluster.Name)
 		t.Run("EnsureComponentsHaveNeedManagementKASAccessLabel", func(t *testing.T) {
-			// Check for all components expected to have NeedManagementKASAccessLabel.
-			want := []string{
-				"cluster-network-operator",
-				"ignition-server",
-				"cluster-storage-operator",
-				"csi-snapshot-controller-operator",
-				"machine-approver",
-				"cluster-autoscaler",
-				"cluster-node-tuning-operator",
-				"capi-provider-controller-manager",
-				"cluster-api",
-				"etcd", // For etcd-defrag leader elections
-				"control-plane-operator",
-				"control-plane-pki-operator",
-				"hosted-cluster-config-operator",
-				"cloud-controller-manager",
-				"olm-collect-profiles",
-				"aws-ebs-csi-driver-operator",
-			}
-
 			g := NewWithT(t)
-			err := checkPodsHaveLabel(ctx, c, want, hcpNamespace, client.MatchingLabels{suppconfig.NeedManagementKASAccessLabel: "true"})
+			err := checkPodsHaveLabel(ctx, c, expectedKasManagementComponents, hcpNamespace, client.MatchingLabels{suppconfig.NeedManagementKASAccessLabel: "true"})
 			g.Expect(err).ToNot(HaveOccurred())
 		})
 
@@ -1719,3 +1718,43 @@ func EnsureNoHCPPodsLandOnDefaultNode(t *testing.T, ctx context.Context, client
 		g.Expect(hcpNodeNames).To(ContainElement(pod.Spec.NodeName))
 	}
 }
+
+func EnsureSATokenNotMountedUnlessNecessary(t *testing.T, ctx context.Context, c crclient.Client, hostedCluster *hyperv1.HostedCluster) {
+	//g := NewWithT(t)
+
+	hcpNamespace := manifests.HostedControlPlaneNamespace(hostedCluster.Namespace, hostedCluster.Name)
+
+	var pods corev1.PodList
+	if err := c.List(ctx, &pods, &crclient.ListOptions{Namespace: hcpNamespace}); err != nil {
+	}
+
+	expectedComponentsWithTokenMount := append(expectedKasManagementComponents,
+		"aws-ebs-csi-driver-controller",
+		"packageserver",
+		"csi-snapshot-webhook",
+		"csi-snapshot-controller",
+		"ovnkube-control-plane", //remove once https://issues.redhat.com/browse/OCPBUGS-26408 is closed,
+	)
+
+	for _, pod := range pods.Items {
+		hasPrefix := false
+		for _, prefix := range expectedComponentsWithTokenMount {
+			if strings.HasPrefix(pod.Name, prefix) {
+				hasPrefix = true
+				break
+			}
+		}
+		if !hasPrefix {
+			for _, volume := range pod.Spec.Volumes {
+				if strings.HasPrefix(volume.Name, "kube-api-access-") {
+					t.Logf("SA token mount found in pod %s\n", pod.Name)
+				}
+			}
+		}
+		//if !hasPrefix {
+		//	for _, volume := range pod.Spec.Volumes {
+		//		g.Expect(volume.Name).ToNot(HavePrefix("kube-api-access-"))
+		//	}
+		//}
+	}
+}