This commit adds a ServiceAccount (config/rbac/service_account.yaml)

and changes the default service account name from default to controller-manager such that a user can specify which service account their manager should be created in. They may change this value by updating files referencing the metadata.name value in service_account.yaml. pkg/plugins/golang/v3: update all scaffold referencing the default service account with references to the "controller-manager" service account, specified in service_account.yaml. Signed-off-by: Eric Stroczynski <ericstroczynski@gmail.com>
kubernetes-sigs · Mar 9, 2021 · 79b885b · 79b885b
1 parent 2018a4f
commit 79b885b
Show file tree

Hide file tree

Showing 37 changed files with 153 additions and 34 deletions.
diff --git a/pkg/plugins/golang/v3/scaffolds/init.go b/pkg/plugins/golang/v3/scaffolds/init.go
@@ -105,6 +105,7 @@ func (s *initScaffolder) scaffold() error {
 		&rbac.RoleBinding{},
 		&rbac.LeaderElectionRole{},
 		&rbac.LeaderElectionRoleBinding{},
+		&rbac.ServiceAccount{},
 		&manager.Kustomization{},
 		&manager.Config{Image: imageName},
 		&manager.ControllerManagerConfig{},

diff --git a/pkg/plugins/golang/v3/scaffolds/internal/templates/config/manager/config.go b/pkg/plugins/golang/v3/scaffolds/internal/templates/config/manager/config.go
@@ -100,5 +100,6 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
 `
diff --git a/pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/auth_proxy_role_binding.go b/pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/auth_proxy_role_binding.go
@@ -50,6 +50,6 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
 `
diff --git a/pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/kustomization.go b/pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/kustomization.go
@@ -43,6 +43,12 @@ func (f *Kustomization) SetTemplateDefaults() error {
 }
 
 const kustomizeRBACTemplate = `resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# targets if changing service account names.
+- service_account.yaml
 - role.yaml
 - role_binding.yaml
 - leader_election_role.yaml

diff --git a/...lugins/golang/v3/scaffolds/internal/templates/config/rbac/leader_election_role_binding.go b/...lugins/golang/v3/scaffolds/internal/templates/config/rbac/leader_election_role_binding.go
@@ -50,6 +50,6 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
 `
diff --git a/pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/role_binding.go b/pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/role_binding.go
@@ -50,6 +50,6 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
 `
diff --git a/pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/service_account.go b/pkg/plugins/golang/v3/scaffolds/internal/templates/config/rbac/service_account.go
@@ -0,0 +1,48 @@
+/*
+Copyright 2021 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package rbac
+
+import (
+	"path/filepath"
+
+	"sigs.k8s.io/kubebuilder/v3/pkg/model/file"
+)
+
+var _ file.Template = &ServiceAccount{}
+
+// ServiceAccount scaffolds a file that defines the service account the manager is deployed in.
+type ServiceAccount struct {
+	file.TemplateMixin
+}
+
+// SetTemplateDefaults implements file.Template
+func (f *ServiceAccount) SetTemplateDefaults() error {
+	if f.Path == "" {
+		f.Path = filepath.Join("config", "rbac", "service_account.yaml")
+	}
+
+	f.TemplateBody = serviceAccountTemplate
+
+	return nil
+}
+
+const serviceAccountTemplate = `apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system
+`
diff --git a/test/e2e/ci.sh b/test/e2e/ci.sh
@@ -17,8 +17,8 @@
 source "$(dirname "$0")/../common.sh"
 source "$(dirname "$0")/setup.sh"
 
-kind_cluster="kind"
-create_cluster ${KIND_K8S_VERSION} $kind_cluster
+export KIND_CLUSTER="kind"
+create_cluster ${KIND_K8S_VERSION}
 trap delete_cluster EXIT
 
 test_cluster
diff --git a/test/e2e/local.sh b/test/e2e/local.sh
@@ -17,13 +17,13 @@
 source "$(dirname "$0")/../common.sh"
 source "$(dirname "$0")/setup.sh"
 
-kind_cluster=local-kubebuilder-e2e
-create_cluster ${KIND_K8S_VERSION:-v1.18.0} $kind_cluster
+export KIND_CLUSTER="local-kubebuilder-e2e"
+create_cluster ${KIND_K8S_VERSION:-v1.18.0}
 if [ -z "${SKIP_KIND_CLEANUP:-}" ]; then
-    trap delete_cluster EXIT
+  trap delete_cluster EXIT
 fi
 
-kind export kubeconfig --kubeconfig $tmp_root/kubeconfig --name $kind_cluster
+kind export kubeconfig --kubeconfig $tmp_root/kubeconfig --name $KIND_CLUSTER
 export KUBECONFIG=$tmp_root/kubeconfig
 
 test_cluster -v -ginkgo.v
diff --git a/test/e2e/setup.sh b/test/e2e/setup.sh
@@ -23,10 +23,12 @@ install_kind
 #
 # Usage:
 #
-#   create_cluster <k8s version> <kind cluster name>
+#   export KIND_CLUSTER=<kind cluster name>
+#   create_cluster <k8s version>
 function create_cluster {
-  if ! kind get clusters | grep -q $2 ; then
-    kind create cluster -v 4 --name $2 --retain --wait=1m --config $(dirname "$0")/kind-config.yaml --image=kindest/node:$1
+  : ${KIND_CLUSTER:?"KIND_CLUSTER must be set"}
+  if ! kind get clusters | grep -q $KIND_CLUSTER ; then
+    kind create cluster -v 4 --name $KIND_CLUSTER --retain --wait=1m --config $(dirname "$0")/kind-config.yaml --image=kindest/node:$1
   fi
 }
 
@@ -35,10 +37,11 @@ function create_cluster {
 #
 # Usage:
 #
-#   kind_cluster=<kind cluster name>
+#   export KIND_CLUSTER=<kind cluster name>
 #   delete_cluster
 function delete_cluster {
-    kind delete cluster --name $kind_cluster
+  : ${KIND_CLUSTER:?"KIND_CLUSTER must be set"}
+  kind delete cluster --name $KIND_CLUSTER
 }
 
 function test_cluster {

diff --git a/test/e2e/utils/kubectl.go b/test/e2e/utils/kubectl.go
@@ -27,7 +27,8 @@ import (
 // Kubectl contains context to run kubectl commands
 type Kubectl struct {
 	*CmdContext
-	Namespace string
+	Namespace      string
+	ServiceAccount string
 }
 
 // Command is a general func to run kubectl commands

diff --git a/test/e2e/utils/test_context.go b/test/e2e/utils/test_context.go
@@ -56,8 +56,9 @@ func NewTestContext(binaryName string, env ...string) (*TestContext, error) {
 
 	// Use kubectl to get Kubernetes client and cluster version.
 	kubectl := &Kubectl{
-		Namespace:  fmt.Sprintf("e2e-%s-system", testSuffix),
-		CmdContext: cc,
+		Namespace:      fmt.Sprintf("e2e-%s-system", testSuffix),
+		ServiceAccount: fmt.Sprintf("e2e-%s-controller-manager", testSuffix),
+		CmdContext:     cc,
 	}
 	k8sVersion, err := kubectl.Version()
 	if err != nil {

diff --git a/test/e2e/v3/plugin_cluster_test.go b/test/e2e/v3/plugin_cluster_test.go
@@ -69,6 +69,11 @@ var _ = Describe("kubebuilder", func() {
 			})
 
 			It("should generate a runnable project", func() {
+				// go/v3 uses a unqiue-per-project service account name,
+				// while go/v2 still uses "default".
+				tmp := kbc.Kubectl.ServiceAccount
+				kbc.Kubectl.ServiceAccount = "default"
+				defer func() { kbc.Kubectl.ServiceAccount = tmp }()
 				GenerateV2(kbc)
 				Run(kbc)
 			})
@@ -166,7 +171,7 @@ func Run(kbc *utils.TestContext) {
 	_, err = kbc.Kubectl.Command(
 		"create", "clusterrolebinding", fmt.Sprintf("metrics-%s", kbc.TestSuffix),
 		fmt.Sprintf("--clusterrole=e2e-%s-metrics-reader", kbc.TestSuffix),
-		fmt.Sprintf("--serviceaccount=%s:default", kbc.Kubectl.Namespace))
+		fmt.Sprintf("--serviceaccount=%s:%s", kbc.Kubectl.Namespace, kbc.Kubectl.ServiceAccount))
 	ExpectWithOffset(1, err).NotTo(HaveOccurred())
 
 	_ = curlMetrics(kbc)
@@ -263,18 +268,23 @@ func Run(kbc *utils.TestContext) {
 // curlMetrics curl's the /metrics endpoint, returning all logs once a 200 status is returned.
 func curlMetrics(kbc *utils.TestContext) string {
 	By("reading the metrics token")
-	b64Token, err := kbc.Kubectl.Get(true, "secrets", "-o=jsonpath={.items[0].data.token}")
+	// Filter token query by service account in case more than one exists in a namespace.
+	query := fmt.Sprintf(`{.items[?(@.metadata.annotations.kubernetes\.io/service-account\.name=="%s")].data.token}`,
+		kbc.Kubectl.ServiceAccount,
+	)
+	b64Token, err := kbc.Kubectl.Get(true, "secrets", "-o=jsonpath="+query)
 	ExpectWithOffset(2, err).NotTo(HaveOccurred())
 	token, err := base64.StdEncoding.DecodeString(strings.TrimSpace(b64Token))
 	ExpectWithOffset(2, err).NotTo(HaveOccurred())
 	ExpectWithOffset(2, len(token)).To(BeNumerically(">", 0))
 
 	By("creating a curl pod")
 	cmdOpts := []string{
-		"run", "--generator=run-pod/v1", "curl", "--image=curlimages/curl:7.68.0", "--restart=OnFailure", "--",
+		"run", "--generator=run-pod/v1", "curl", "--image=curlimages/curl:7.68.0", "--restart=OnFailure",
+		"--serviceaccount=" + kbc.Kubectl.ServiceAccount, "--",
 		"curl", "-v", "-k", "-H", fmt.Sprintf(`Authorization: Bearer %s`, token),
-		fmt.Sprintf("https://e2e-%v-controller-manager-metrics-service.e2e-%v-system.svc:8443/metrics",
-			kbc.TestSuffix, kbc.TestSuffix),
+		fmt.Sprintf("https://e2e-%s-controller-manager-metrics-service.%s.svc:8443/metrics",
+			kbc.TestSuffix, kbc.Kubectl.Namespace),
 	}
 	_, err = kbc.Kubectl.CommandInNamespace(cmdOpts...)
 	ExpectWithOffset(2, err).NotTo(HaveOccurred())

diff --git a/testdata/project-v3-addon/config/manager/manager.yaml b/testdata/project-v3-addon/config/manager/manager.yaml
@@ -52,4 +52,5 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
diff --git a/testdata/project-v3-addon/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v3-addon/config/rbac/auth_proxy_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/testdata/project-v3-addon/config/rbac/kustomization.yaml b/testdata/project-v3-addon/config/rbac/kustomization.yaml
@@ -1,4 +1,10 @@
 resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# targets if changing service account names.
+- service_account.yaml
 - role.yaml
 - role_binding.yaml
 - leader_election_role.yaml

diff --git a/testdata/project-v3-addon/config/rbac/leader_election_role_binding.yaml b/testdata/project-v3-addon/config/rbac/leader_election_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/testdata/project-v3-addon/config/rbac/role_binding.yaml b/testdata/project-v3-addon/config/rbac/role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/testdata/project-v3-addon/config/rbac/service_account.yaml b/testdata/project-v3-addon/config/rbac/service_account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system
diff --git a/testdata/project-v3-config/config/manager/manager.yaml b/testdata/project-v3-config/config/manager/manager.yaml
@@ -50,4 +50,5 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
diff --git a/testdata/project-v3-config/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v3-config/config/rbac/auth_proxy_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/testdata/project-v3-config/config/rbac/kustomization.yaml b/testdata/project-v3-config/config/rbac/kustomization.yaml
@@ -1,4 +1,10 @@
 resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# targets if changing service account names.
+- service_account.yaml
 - role.yaml
 - role_binding.yaml
 - leader_election_role.yaml

diff --git a/testdata/project-v3-config/config/rbac/leader_election_role_binding.yaml b/testdata/project-v3-config/config/rbac/leader_election_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/testdata/project-v3-config/config/rbac/role_binding.yaml b/testdata/project-v3-config/config/rbac/role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/testdata/project-v3-config/config/rbac/service_account.yaml b/testdata/project-v3-config/config/rbac/service_account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system
diff --git a/testdata/project-v3-multigroup/config/manager/manager.yaml b/testdata/project-v3-multigroup/config/manager/manager.yaml
@@ -52,4 +52,5 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
diff --git a/testdata/project-v3-multigroup/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v3-multigroup/config/rbac/auth_proxy_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/testdata/project-v3-multigroup/config/rbac/kustomization.yaml b/testdata/project-v3-multigroup/config/rbac/kustomization.yaml
@@ -1,4 +1,10 @@
 resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# targets if changing service account names.
+- service_account.yaml
 - role.yaml
 - role_binding.yaml
 - leader_election_role.yaml

diff --git a/testdata/project-v3-multigroup/config/rbac/leader_election_role_binding.yaml b/testdata/project-v3-multigroup/config/rbac/leader_election_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/testdata/project-v3-multigroup/config/rbac/role_binding.yaml b/testdata/project-v3-multigroup/config/rbac/role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: manager-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/testdata/project-v3-multigroup/config/rbac/service_account.yaml b/testdata/project-v3-multigroup/config/rbac/service_account.yaml
@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: controller-manager
+  namespace: system
diff --git a/testdata/project-v3/config/manager/manager.yaml b/testdata/project-v3/config/manager/manager.yaml
@@ -52,4 +52,5 @@ spec:
           requests:
             cpu: 100m
             memory: 20Mi
+      serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10
diff --git a/testdata/project-v3/config/rbac/auth_proxy_role_binding.yaml b/testdata/project-v3/config/rbac/auth_proxy_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: proxy-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system
diff --git a/testdata/project-v3/config/rbac/kustomization.yaml b/testdata/project-v3/config/rbac/kustomization.yaml
@@ -1,4 +1,10 @@
 resources:
+# All RBAC will be applied under this service account in
+# the deployment namespace. You may comment out this resource
+# if your manager will use a service account that exists at
+# runtime. Be sure to update RoleBinding and ClusterRoleBinding
+# targets if changing service account names.
+- service_account.yaml
 - role.yaml
 - role_binding.yaml
 - leader_election_role.yaml

diff --git a/testdata/project-v3/config/rbac/leader_election_role_binding.yaml b/testdata/project-v3/config/rbac/leader_election_role_binding.yaml
@@ -8,5 +8,5 @@ roleRef:
   name: leader-election-role
 subjects:
 - kind: ServiceAccount
-  name: default
+  name: controller-manager
   namespace: system