feat(core): Add kubernetes api access to jobs (#146)

Signed-off-by: Christian Kreuzberger <[email protected]>

chart/templates/configmap.yaml

@@ -10,3 +10,4 @@ data:
   default_resource_requests_cpu: "50m"
   default_resource_requests_memory: "128Mi"
   always_send_finished_event: "false"
+  enable_kubernetes_api_access: "{{ .Values.jobConfig.enableKubernetesApiAccess | default false }}"

chart/templates/deployment.yaml

@@ -87,6 +87,11 @@ spec:
               configMapKeyRef:
                 name: job-service-config
                 key: always_send_finished_event
+          - name: ENABLE_KUBERNETES_API_ACCESS
+            valueFrom:
+              configMapKeyRef:
+                name: job-service-config
+                key: enable_kubernetes_api_access
           livenessProbe:
             httpGet:
               path: /health

chart/values.yaml

@@ -29,6 +29,9 @@ remoteControlPlane:
     apiValidateTls: true                     # Defines if the control plane certificate should be validated
     token: ""                                # Keptn API Token
 
+jobConfig:
+  enableKubernetesApiAccess: false           # whether or not the started jobs should have Kubernetes API Access
+
 
 imagePullSecrets: [ ]                        # Secrets to use for container registry credentials
 

cmd/job-executor-service/main.go

@@ -47,6 +47,8 @@ type envConfig struct {
 	DefaultResourceRequestsMemory string `envconfig:"DEFAULT_RESOURCE_REQUESTS_MEMORY"`
 	// Respond with .finished event if no configuration found
 	AlwaysSendFinishedEvent string `envconfig:"ALWAYS_SEND_FINISHED_EVENT"`
+	// Whether jobs can access Kubernetes API
+	EnableKubernetesAPIAccess string `envconfig:"ENABLE_KUBERNETES_API_ACCESS"`
 }
 
 // ServiceName specifies the current services name (e.g., used as source when sending CloudEvents)
@@ -105,13 +107,18 @@ func processKeptnCloudEvent(ctx context.Context, event cloudevents.Event) error
 			InitContainerImage:          env.InitContainerImage,
 			DefaultResourceRequirements: DefaultResourceRequirements,
 			AlwaysSendFinishedEvent:     false,
+			EnableKubernetesAPIAccess:   false,
 		},
 	}
 
 	if env.AlwaysSendFinishedEvent == "true" {
 		eventHandler.JobSettings.AlwaysSendFinishedEvent = true
 	}
 
+	if env.EnableKubernetesAPIAccess == "true" {
+		eventHandler.JobSettings.EnableKubernetesAPIAccess = true
+	}
+
 	// prevent duplicate events - https://github.com/keptn/keptn/issues/3888
 	go eventHandler.HandleEvent()
 

pkg/k8sutils/job.go

@@ -34,6 +34,7 @@ type JobSettings struct {
 	InitContainerImage                           string
 	DefaultResourceRequirements                  *v1.ResourceRequirements
 	AlwaysSendFinishedEvent                      bool
+	EnableKubernetesAPIAccess                    bool
 }
 
 // CreateK8sJob creates a k8s job with the job-executor-service-initcontainer and the job image of the task
@@ -68,7 +69,15 @@ func (k8s *k8sImpl) CreateK8sJob(jobName string, action *config.Action, task con
 		Medium:    v1.StorageMediumDefault,
 		SizeLimit: &quantity,
 	}
-	automountServiceAccountToken := false
+	automountServiceAccountToken := jobSettings.EnableKubernetesAPIAccess
+
+	// specify empty service account name for job
+	serviceAccountName := ""
+
+	if jobSettings.EnableKubernetesAPIAccess {
+		automountServiceAccountToken = true
+		serviceAccountName = "job-executor-service"
+	}
 
 	runAsNonRoot := true
 	convert := func(s int64) *int64 {
@@ -174,6 +183,7 @@ func (k8s *k8sImpl) CreateK8sJob(jobName string, action *config.Action, task con
 						},
 					},
 					AutomountServiceAccountToken: &automountServiceAccountToken,
+					ServiceAccountName:           serviceAccountName,
 				},
 			},
 			BackoffLimit:            &backOffLimit,