Merge pull request #401 from gthiemonge/fix_automount

Set AutomountServiceAccountToken to false
openstack-k8s-operators · Jan 14, 2025 · 575fc03 · 575fc03
2 parents 3f54fba + 08500c3
commit 575fc03
Show file tree

Hide file tree

Showing 6 changed files with 12 additions and 5 deletions.
diff --git a/pkg/amphoracontrollers/daemonset.go b/pkg/amphoracontrollers/daemonset.go
@@ -147,6 +147,7 @@ func DaemonSet(
 					},
 					TerminationGracePeriodSeconds: &terminationGracePeriodSeconds,
 					ServiceAccountName:            instance.Spec.ServiceAccount,
+					AutomountServiceAccountToken:  ptr.To(false),
 					Containers: []corev1.Container{
 						{
 							Name:            serviceName,

diff --git a/pkg/octavia/dbsync.go b/pkg/octavia/dbsync.go
@@ -68,8 +68,9 @@ func DbSyncJob(
 					SecurityContext: &corev1.PodSecurityContext{
 						FSGroup: ptr.To(OctaviaUID),
 					},
-					RestartPolicy:      corev1.RestartPolicyOnFailure,
-					ServiceAccountName: instance.RbacResourceName(),
+					RestartPolicy:                corev1.RestartPolicyOnFailure,
+					ServiceAccountName:           instance.RbacResourceName(),
+					AutomountServiceAccountToken: ptr.To(false),
 					Containers: []corev1.Container{
 						{
 							Name:            ServiceName + "-db-sync",

diff --git a/pkg/octavia/image_upload_deployment.go b/pkg/octavia/image_upload_deployment.go
@@ -23,6 +23,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 type ImageUploadDetails struct {
@@ -107,7 +108,8 @@ func ImageUploadDeployment(
 					Labels: labels,
 				},
 				Spec: corev1.PodSpec{
-					ServiceAccountName: instance.RbacResourceName(),
+					ServiceAccountName:           instance.RbacResourceName(),
+					AutomountServiceAccountToken: ptr.To(false),
 					Containers: []corev1.Container{
 						{
 							Name: "octavia-amphora-httpd",

diff --git a/pkg/octaviaapi/deployment.go b/pkg/octaviaapi/deployment.go
@@ -158,7 +158,8 @@ func Deployment(
 					SecurityContext: &corev1.PodSecurityContext{
 						FSGroup: ptr.To(octavia.OctaviaUID),
 					},
-					ServiceAccountName: instance.Spec.ServiceAccount,
+					ServiceAccountName:           instance.Spec.ServiceAccount,
+					AutomountServiceAccountToken: ptr.To(false),
 					Containers: []corev1.Container{
 						{
 							Name: serviceName,

diff --git a/pkg/octaviarsyslog/daemonset.go b/pkg/octaviarsyslog/daemonset.go
@@ -103,7 +103,8 @@ func DaemonSet(
 					Labels:      labels,
 				},
 				Spec: corev1.PodSpec{
-					ServiceAccountName: instance.Spec.ServiceAccount,
+					ServiceAccountName:           instance.Spec.ServiceAccount,
+					AutomountServiceAccountToken: ptr.To(false),
 					Containers: []corev1.Container{
 						{
 							Name:           serviceName,

diff --git a/tests/kuttl/common/assert_sample_deployment.yaml b/tests/kuttl/common/assert_sample_deployment.yaml
@@ -98,6 +98,7 @@ spec:
                   - octavia-api
               topologyKey: kubernetes.io/hostname
             weight: 100
+      automountServiceAccountToken: false
       containers:
       - args:
         - -c