New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add automountServiceAccountToken option to alertmanager spec #5474
Add automountServiceAccountToken option to alertmanager spec #5474
Conversation
Signed-off-by: stgrace <stefgraces@hotmail.com>
I'd rather have it disabled by default and not have the option to turn it back on 🤔. Do you see a use-case where alertmanager would need the serviceaccount mounted? |
IIUC the PR doesn't change the current behavior: the SA token will not be automatically mounted until the user sets the field to
One example is when using kube-rbac-proxy in front of Alertmanager. One could probably use SA token volume projection but it's more involved that just setting We might want to have a similar change for the ThanosRuler CRD but it doesn't have to be in this PR. |
Not sure what you mean? By default, all pods mount their serviceaccounttoken in kubernetes. Adding this option to alertmanager and setting it to false allows users to opt out of this default behavior. |
I'd also think that disabling it and not having the option to turn it back on is a good idea if there is no reason for this component to have access to the kubernetes API |
Yes sorry I wasn't clear enough: I meant to say that for people that have already opted out for API credential automounting at the SA level (https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting), it won't change anything. Similarly for people that rely on automounting at the SA level, the token will still be mounted unless they explicitly set As a follow-up, this snippet achieves the same goal:
|
this isn't a valid assumption (see my comment earlier about kube-rbac-proxy). |
I understand that if you disable it at the SA level it doesn't change anything, but I still think it's a good idea to have it as an option to also disable it at the pod level. |
Yes I agree. But to be clear, I don't think that we should default to |
@simonpasquier Is there anything that needs to be changed for this PR then? |
@stgrace any updates planned for this PR? |
What updates are exactly required? For me this is ready to be merged? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for taking this long to review, just have some small nits.
// If you don't want the kubelet to automatically mount a ServiceAccount's API credentials, you can opt out of the default behavior. | ||
// You can opt out of automounting API credentials on /var/run/secrets/kubernetes.io/serviceaccount/token for a pod by setting automountServiceAccountToken: false on the pod spec. | ||
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// If you don't want the kubelet to automatically mount a ServiceAccount's API credentials, you can opt out of the default behavior. | |
// You can opt out of automounting API credentials on /var/run/secrets/kubernetes.io/serviceaccount/token for a pod by setting automountServiceAccountToken: false on the pod spec. | |
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"` | |
// AutomountServiceAccountToken defines if the ServiceAccount token is mounted into Alertmanager's pod or not. | |
// +optional | |
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that the original comment is useful because otherwise it might be unclear when this field is useful.
// If you don't want the kubelet to automatically mount a ServiceAccount's API credentials, you can opt out of the default behavior. | |
// You can opt out of automounting API credentials on /var/run/secrets/kubernetes.io/serviceaccount/token for a pod by setting automountServiceAccountToken: false on the pod spec. | |
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"` | |
// AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod. | |
// If the service account has `automountServiceAccountToken: true`, set the field to `false` to opt out of automounting API credentials. | |
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good to me, let's not forget about the extra comment // +optional
🙂
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry for the late response,
Added the latest comment from @simonpasquier, with the // +optional
hi @stgrace , can you please incorporate the comment. |
Signed-off-by: stgrace <stefgraces@hotmail.com>
Signed-off-by: stgrace <stefgraces@hotmail.com>
Signed-off-by: stgrace <stefgraces@hotmail.com>
Thanks! |
…eus-operator#5474) Signed-off-by: stgrace <stefgraces@hotmail.com>
Description
Add automountServiceAccountToken option to alertmanager spec. As a best practice it's best to disable mounting a service account token for pods that do not need to interact with the Kubernetes API spec, hence this pull request.
Type of change
CHANGE
(fix or feature that would cause existing functionality to not work as expected)FEATURE
(non-breaking change which adds functionality)BUGFIX
(non-breaking change which fixes an issue)ENHANCEMENT
(non-breaking change which improves existing functionality)NONE
(if none of the other choices apply. Example, tooling, build system, CI, docs, etc.)Changelog entry