Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(KEP): add service account auto injection KEP for sidecarset #1820

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

magicsong
Copy link

Ⅰ. Describe what this PR does

a KEP to add service account auto injection for sidecarset

Ⅱ. Does this pull request fix one issue?

Ⅲ. Describe how to verify it

Ⅳ. Special notes for reviews

related issue: #1747

@magicsong magicsong force-pushed the add_service_account_proposal branch from 2b41871 to 3c64776 Compare November 6, 2024 09:47
@magicsong magicsong changed the title feat(KEP): add service account auto injection KEP for sidecarset [WIP] feat(KEP): add service account auto injection KEP for sidecarset Nov 6, 2024
Copy link

codecov bot commented Nov 6, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 49.94%. Comparing base (0d0031a) to head (880be6b).
Report is 112 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #1820      +/-   ##
==========================================
+ Coverage   47.91%   49.94%   +2.02%     
==========================================
  Files         162      192      +30     
  Lines       23491    24634    +1143     
==========================================
+ Hits        11256    12303    +1047     
- Misses      11014    11053      +39     
- Partials     1221     1278      +57     
Flag Coverage Δ
unittests 49.94% <ø> (+2.02%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@magicsong magicsong force-pushed the add_service_account_proposal branch from 3c64776 to f664b5f Compare November 6, 2024 11:05
@magicsong magicsong changed the title [WIP] feat(KEP): add service account auto injection KEP for sidecarset feat(KEP): add service account auto injection KEP for sidecarset Nov 6, 2024
Signed-off-by: magicsong <songxuetao@bytedance.com>
@magicsong magicsong force-pushed the add_service_account_proposal branch from f664b5f to 880be6b Compare November 6, 2024 11:17

### Risks and Mitigations

- **Risk**: Potential misconfiguration may lead to sidecars running with unintended permissions.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand that when you mention "whitelist," you are referring to "role," right? In this scenario, it is ultimately the user's responsibility to create the RoleBinding, and Kruise should not manage this Role

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the whitelist is to control which sidecarset can inject which serviceaccount, so as to control the risk that un-intended user of sidecarset inject serviceaccounts.

### API Changes

1. Add a new `serviceAccountName` field in the SidecarSet specification, allowing users to define a ServiceAccount specifically for the sidecar containers.
2. Add a new `errorWhenServiceAccountInjectionConflict` field in the SidecarSet specification to control the behavior when multiple SidecarSets inject different ServiceAccounts into the same pod.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it seems reporting an error is the only sane solution when facing injection conflict. it is overly complex and security nightmare if kruise-manager can merge and operate rolebinding/clusterrolebinding

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why? Merging a role isn't very difficult. However, shouldn't we do it before the user realizes the original role list will be lost?

metadata:
name: sidecarset-sample
spec:
serviceAccountName: "sidecar-service-account"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. what if the user change the serviceAccountName in the SidecarSet, what is the expected behavior?
  2. what if the service account does not exist in the namespaces to related pods

Copy link
Author

@magicsong magicsong Nov 12, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. This field is immutable, just like in Kubernetes.
  2. We handle it during validation; the service account must exist.

@furykerry
Copy link
Member

@magicsong can you attend the bi-weekly community meeting this week, we can discuss the kep in detail

@magicsong
Copy link
Author

@magicsong can you attend the bi-weekly community meeting this week, we can discuss the kep in detail

sure

@furykerry
Copy link
Member

another possible solution is to add secret backed service account using volumes.
https://discuss.kubernetes.io/t/can-you-have-two-containers-in-a-pod-have-different-service-accounts/19156/2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants