diff --git a/control-plane-operator/controllers/hostedcontrolplane/cloud/aws/reconcile.go b/control-plane-operator/controllers/hostedcontrolplane/cloud/aws/reconcile.go index 418a484e9be..d8d0570bc6f 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/cloud/aws/reconcile.go +++ b/control-plane-operator/controllers/hostedcontrolplane/cloud/aws/reconcile.go @@ -2,6 +2,7 @@ package aws import ( "fmt" + k8sutilspointer "k8s.io/utils/pointer" hyperv1 "github.com/openshift/hypershift/api/hypershift/v1beta1" "github.com/openshift/hypershift/control-plane-operator/controllers/hostedcontrolplane/imageprovider" @@ -36,8 +37,9 @@ func ReconcileDeployment(deployment *appsv1.Deployment, hcp *hyperv1.HostedContr Containers: []corev1.Container{ util.BuildContainer(ccmContainer(), buildCCMContainer(releaseImageProvider.GetImage("aws-cloud-controller-manager"))), }, - Volumes: []corev1.Volume{}, - ServiceAccountName: serviceAccountName, + Volumes: []corev1.Volume{}, + ServiceAccountName: serviceAccountName, + AutomountServiceAccountToken: k8sutilspointer.Bool(false), }, }, } diff --git a/control-plane-operator/controllers/hostedcontrolplane/etcd/reconcile.go b/control-plane-operator/controllers/hostedcontrolplane/etcd/reconcile.go index 4ae56baa7a8..a8386e2723b 100644 --- a/control-plane-operator/controllers/hostedcontrolplane/etcd/reconcile.go +++ b/control-plane-operator/controllers/hostedcontrolplane/etcd/reconcile.go @@ -181,6 +181,8 @@ func ReconcileStatefulSet(ss *appsv1.StatefulSet, p *EtcdParams) error { }, } + ss.Spec.Template.Spec.AutomountServiceAccountToken = pointer.Bool(false) + p.DeploymentConfig.ApplyToStatefulSet(ss) return nil diff --git a/test/e2e/util/hypershift_framework.go b/test/e2e/util/hypershift_framework.go index 2098726402c..733ff14face 100644 --- a/test/e2e/util/hypershift_framework.go +++ b/test/e2e/util/hypershift_framework.go @@ -121,6 +121,7 @@ func (h *hypershiftTest) after(hostedCluster *hyperv1.HostedCluster, opts *core. if platform == hyperv1.AWSPlatform { EnsureHCPPodsAffinitiesAndTolerations(t, context.Background(), h.client, hostedCluster) } + EnsureSATokenNotMountedUnlessNecessary(t, context.Background(), h.client, hostedCluster) }) } diff --git a/test/e2e/util/util.go b/test/e2e/util/util.go index 2548c1c67f2..23752d3d86f 100644 --- a/test/e2e/util/util.go +++ b/test/e2e/util/util.go @@ -52,6 +52,25 @@ import ( crclient "sigs.k8s.io/controller-runtime/pkg/client" ) +var expectedKasManagementComponents = []string{ + "cluster-network-operator", + "ignition-server", + "cluster-storage-operator", + "csi-snapshot-controller-operator", + "machine-approver", + "cluster-autoscaler", + "cluster-node-tuning-operator", + "capi-provider-controller-manager", + "capi-provider", + "cluster-api", + "control-plane-operator", + "control-plane-pki-operator", + "hosted-cluster-config-operator", + "cloud-controller-manager", + "olm-collect-profiles", + "aws-ebs-csi-driver-operator", +} + func UpdateObject[T crclient.Object](t *testing.T, ctx context.Context, client crclient.Client, original T, mutate func(obj T)) error { return wait.PollImmediateWithContext(ctx, time.Second, time.Minute*1, func(ctx context.Context) (done bool, err error) { if err := client.Get(ctx, crclient.ObjectKeyFromObject(original), original); err != nil { @@ -755,28 +774,8 @@ func EnsureNetworkPolicies(t *testing.T, ctx context.Context, c crclient.Client, hcpNamespace := manifests.HostedControlPlaneNamespace(hostedCluster.Namespace, hostedCluster.Name) t.Run("EnsureComponentsHaveNeedManagementKASAccessLabel", func(t *testing.T) { - // Check for all components expected to have NeedManagementKASAccessLabel. - want := []string{ - "cluster-network-operator", - "ignition-server", - "cluster-storage-operator", - "csi-snapshot-controller-operator", - "machine-approver", - "cluster-autoscaler", - "cluster-node-tuning-operator", - "capi-provider-controller-manager", - "cluster-api", - "etcd", // For etcd-defrag leader elections - "control-plane-operator", - "control-plane-pki-operator", - "hosted-cluster-config-operator", - "cloud-controller-manager", - "olm-collect-profiles", - "aws-ebs-csi-driver-operator", - } - g := NewWithT(t) - err := checkPodsHaveLabel(ctx, c, want, hcpNamespace, client.MatchingLabels{suppconfig.NeedManagementKASAccessLabel: "true"}) + err := checkPodsHaveLabel(ctx, c, expectedKasManagementComponents, hcpNamespace, client.MatchingLabels{suppconfig.NeedManagementKASAccessLabel: "true"}) g.Expect(err).ToNot(HaveOccurred()) }) @@ -1719,3 +1718,43 @@ func EnsureNoHCPPodsLandOnDefaultNode(t *testing.T, ctx context.Context, client g.Expect(hcpNodeNames).To(ContainElement(pod.Spec.NodeName)) } } + +func EnsureSATokenNotMountedUnlessNecessary(t *testing.T, ctx context.Context, c crclient.Client, hostedCluster *hyperv1.HostedCluster) { + g := NewWithT(t) + + hcpNamespace := manifests.HostedControlPlaneNamespace(hostedCluster.Namespace, hostedCluster.Name) + + var pods corev1.PodList + if err := c.List(ctx, &pods, &crclient.ListOptions{Namespace: hcpNamespace}); err != nil { + } + + expectedComponentsWithTokenMount := append(expectedKasManagementComponents, + "aws-ebs-csi-driver-controller", + "packageserver", + "csi-snapshot-webhook", + "csi-snapshot-controller", + "ovnkube-control-plane", //remove once https://issues.redhat.com/browse/OCPBUGS-26408 is closed, + ) + + for _, pod := range pods.Items { + hasPrefix := false + for _, prefix := range expectedComponentsWithTokenMount { + if strings.HasPrefix(pod.Name, prefix) { + hasPrefix = true + break + } + } + if !hasPrefix { + for _, volume := range pod.Spec.Volumes { + if strings.HasPrefix(volume.Name, "kube-api-access-") { + t.Logf("SA token mount found in pod %s\n", pod.Name) + } + } + } + //if !hasPrefix { + // for _, volume := range pod.Spec.Volumes { + // g.Expect(volume.Name).ToNot(HavePrefix("kube-api-access-")) + // } + //} + } +}