Copy serviceAccountName to affinity-assistant

When a serviceAccountName is specified on a PipelineRun, all Pods that execute the constituent Tasks run with the specified ServiceAccount. If an Affinity Assistant pod is launched, it should also run with the same ServiceAccount. This ensures that cluster policies apply consistently to Tekton-launched Pods, and it avoids use of the "default" ServiceAccount that is discouraged by some Kubernetes security experts.
tektoncd · Feb 4, 2021 · 5d30456 · 5d30456
1 parent 9850785
commit 5d30456
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 3 deletions.
diff --git a/pkg/reconciler/pipelinerun/affinity_assistant.go b/pkg/reconciler/pipelinerun/affinity_assistant.go
@@ -139,6 +139,11 @@ func affinityAssistantStatefulSet(name string, pr *v1beta1.PipelineRun, claimNam
 		nodeSelector = pr.Spec.PodTemplate.NodeSelector
 	}
 
+	serviceAccount := "default"
+	if pr.Spec.ServiceAccountName != "" {
+		serviceAccount = pr.Spec.ServiceAccountName
+	}
+
 	containers := []corev1.Container{{
 		Name:  "affinity-assistant",
 		Image: affinityAssistantImage,
@@ -192,9 +197,10 @@ func affinityAssistantStatefulSet(name string, pr *v1beta1.PipelineRun, claimNam
 					Labels: getStatefulSetLabels(pr, name),
 				},
 				Spec: corev1.PodSpec{
-					Containers:   containers,
-					Tolerations:  tolerations,
-					NodeSelector: nodeSelector,
+					Containers:         containers,
+					Tolerations:        tolerations,
+					NodeSelector:       nodeSelector,
+					ServiceAccountName: serviceAccount,
 					Affinity: &corev1.Affinity{
 						PodAntiAffinity: &corev1.PodAntiAffinity{
 							PreferredDuringSchedulingIgnoredDuringExecution: []corev1.WeightedPodAffinityTerm{repelOtherAffinityAssistantsPodAffinityTerm},

diff --git a/pkg/reconciler/pipelinerun/affinity_assistant_test.go b/pkg/reconciler/pipelinerun/affinity_assistant_test.go
@@ -117,6 +117,24 @@ func TestThatCustomTolerationsAndNodeSelectorArePropagatedToAffinityAssistant(t
 	}
 }
 
+func TestThatCustomServiceAccountIsPropagatedToAffinityAssistant(t *testing.T) {
+	prWithCustomPodTemplate := &v1beta1.PipelineRun{
+		TypeMeta: metav1.TypeMeta{Kind: "PipelineRun"},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "pipelinerun-with-custom-podtemplate",
+		},
+		Spec: v1beta1.PipelineRunSpec{
+			ServiceAccountName: "test-service-account",
+			PodTemplate:        &pod.Template{},
+		},
+	}
+
+	stsWithServiceAccount := affinityAssistantStatefulSet("test-assistant", prWithCustomPodTemplate, "mypvc", "nginx")
+	if stsWithServiceAccount.Spec.Template.Spec.ServiceAccountName != "test-service-account" {
+		t.Errorf("expected non-default ServiceAccountName in the StatefulSet")
+	}
+}
+
 func TestThatTheAffinityAssistantIsWithoutNodeSelectorAndTolerations(t *testing.T) {
 	prWithoutCustomPodTemplate := &v1beta1.PipelineRun{
 		TypeMeta: metav1.TypeMeta{Kind: "PipelineRun"},