Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting spec.template.spec.automountServiceAccountToken in PodSpec #11723

Merged
merged 8 commits into from
Jul 28, 2021
Merged

Allow setting spec.template.spec.automountServiceAccountToken in PodSpec #11723

merged 8 commits into from
Jul 28, 2021

Conversation

psschwei
Copy link
Contributor

@psschwei psschwei commented Jul 26, 2021
edited
Loading

Fixes #9127

Proposed Changes

  • Allows users to set spec.template.spec.automountServiceAccountToken in the PodSpec for a kservice

Release Note

Users can set `spec.template.spec.automountServiceAccountToken` to `false` in a PodSpec in order to opt-out of Kubenetes' default behaviour of mounting a ServiceAccount token in that Pod's containers.

@google-cla google-cla bot added the cla: yes Indicates the PR's author has signed the CLA. label Jul 26, 2021
@knative-prow-robot knative-prow-robot added area/API API objects and controllers size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 26, 2021
@codecov
Copy link

codecov bot commented Jul 26, 2021
edited
Loading

Codecov Report

Merging #11723 (1d7d8fc) into main (0703daa) will decrease coverage by 0.02%.
The diff coverage is 100.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##             main   #11723      +/-   ##
==========================================
- Coverage   87.83%   87.81%   -0.03%     
==========================================
  Files         196      196              
  Lines        9364     9365       +1     
==========================================
- Hits         8225     8224       -1     
- Misses        886      887       +1     
- Partials      253      254       +1
Impacted Files Coverage Δ
pkg/apis/serving/fieldmask.go 95.03% <100.00%> (+0.01%) ⬆️
pkg/autoscaler/statforwarder/leases.go 75.53% <0.00%> (-1.44%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0703daa...1d7d8fc. Read the comment docs.

julz
julz reviewed Jul 26, 2021
View reviewed changes
pkg/apis/serving/fieldmask.go Outdated
@@ -183,6 +183,7 @@ func PodSpecMask(ctx context.Context, in *corev1.PodSpec) *corev1.PodSpec {
out.Volumes = in.Volumes
out.ImagePullSecrets = in.ImagePullSecrets
out.EnableServiceLinks = in.EnableServiceLinks
out.AutomountServiceAccountToken = in.AutomountServiceAccountToken
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought I remembered we were going to have this only allow false, since true could theoretically make things less secure (if an administrator had set AutomountServiceAccountToken = false on the service account), but looks like that was never written on the issue 🤔. TBH maybe this is fine, though, interested in opinions @dprotaso @markusthoemmes

Copy link
Member

@dprotaso dprotaso Jul 28, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's just allow setting this only to false for now

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ack

@dprotaso
Copy link
Member

I think you're missing some updates to the schema file which is why verify is failing

markusthoemmes
markusthoemmes reviewed Jul 28, 2021
View reviewed changes
pkg/apis/serving/fieldmask.go Outdated
@@ -183,6 +183,10 @@ func PodSpecMask(ctx context.Context, in *corev1.PodSpec) *corev1.PodSpec {
out.Volumes = in.Volumes
out.ImagePullSecrets = in.ImagePullSecrets
out.EnableServiceLinks = in.EnableServiceLinks
// Only allow setting AutomountServiceAccountToken to false
if !*in.AutomountServiceAccountToken {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This'll panic because of a nil pointer deref, you'll want to do if in.AutomountServiceAccountToken != nil && !*in.AutomountServiceAccountToken

markusthoemmes
markusthoemmes reviewed Jul 28, 2021
View reviewed changes
pkg/apis/serving/fieldmask.go Outdated
@@ -183,6 +183,10 @@ func PodSpecMask(ctx context.Context, in *corev1.PodSpec) *corev1.PodSpec {
out.Volumes = in.Volumes
out.ImagePullSecrets = in.ImagePullSecrets
out.EnableServiceLinks = in.EnableServiceLinks
// Only allow setting AutomountServiceAccountToken to false
if !*in.AutomountServiceAccountToken && in.AutomountServiceAccountToken != nil {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now it's backwards, will still panic. The && short-circuits, so if you turn this around, the second !*in.AutomountServiceAccountToken won't even be executed if in.AutomountServiceAccountToken != nil is false.

@knative-prow-robot knative-prow-robot added the area/test-and-release It flags unit/e2e/conformance/perf test issues for product features label Jul 28, 2021
@knative-prow-robot knative-prow-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 28, 2021
dprotaso
dprotaso reviewed Jul 28, 2021
View reviewed changes
pkg/apis/serving/k8s_validation_test.go Outdated
}, {
name: "with automountServiceAccountToken (ok)",
ps: corev1.PodSpec{
AutomountServiceAccountToken: &falseValue,
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we have a helper ptr.Bool(false)

pkg/apis/serving/fieldmask.go Outdated
Comment on lines 218 to 223
// Only allow setting AutomountServiceAccountToken to false
if in.AutomountServiceAccountToken != nil {
if *in.AutomountServiceAccountToken {
out.AutomountServiceAccountToken = nil
}
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd say just delete this block - it shouldn't be necessary

@knative-prow-robot knative-prow-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 28, 2021
@dprotaso
Copy link
Member

/lgtm
/approve

@knative-prow-robot knative-prow-robot added the lgtm Indicates that a PR is ready to be merged. label Jul 28, 2021
@knative-prow-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dprotaso, psschwei

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow-robot knative-prow-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 28, 2021
@knative-prow-robot knative-prow-robot merged commit 45dda6b into knative:main Jul 28, 2021
@psschwei psschwei mentioned this pull request Jul 29, 2021
Merged
@psschwei psschwei deleted the automount-serviceaccount-token branch October 15, 2021 15:18
@KauzClay KauzClay mentioned this pull request Jun 26, 2023
Closed
@hernan-abi hernan-abi mentioned this pull request Nov 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@markusthoemmes markusthoemmes markusthoemmes left review comments

@julz julz julz left review comments

@dprotaso dprotaso dprotaso left review comments

Assignees

@dprotaso dprotaso

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/API API objects and controllers area/test-and-release It flags unit/e2e/conformance/perf test issues for product features cla: yes Indicates the PR's author has signed the CLA. lgtm Indicates that a PR is ready to be merged. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Serving webhook should not reject Pods' automountServiceAccountToken attribute
5 participants
@psschwei @dprotaso @knative-prow-robot @julz @markusthoemmes