Optional support for custom default service account

mikkeloscar · mikkeloscar · commit b836a72e0eb8 · 2024-04-03T16:33:20.000+02:00
Signed-off-by: Mikkel Oscar Lyderik Larsen &lt;mikkel.larsen@zalando.de&gt;
diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
@@ -591,6 +591,10 @@ teapot_admission_controller_crd_role_provisioning_allowed_api_groups: "flink.k8s
 teapot_admission_controller_topology_spread: optin
 teapot_admission_controller_topology_spread_timeout: 7m
 
+# Inject custom default service account to identify client pods using default SA
+# to read from the Kubernetes API.
+teapot_admission_controller_custom_default_service_account: "false"
+
 
 # Enable and configure runtime-policy annotation
 {{if eq .Cluster.Environment "production"}}
diff --git a/cluster/manifests/01-admission-control/config.yaml b/cluster/manifests/01-admission-control/config.yaml
@@ -61,6 +61,10 @@ data:
   podfactory.base-image-check.namespaces: "{{ .Cluster.ConfigItems.teapot_admission_controller_validate_base_images_namespaces }}"
 {{- end }}
 
+{{- if eq .Cluster.ConfigItems.teapot_admission_controller_custom_default_service_account "true"}}
+  podfactory.custom-default-service-account.enable: "true"
+{{- end }}
+
   # This setting enables and disables the container image compliance checks
   pod.image-check.enable: "{{ .Cluster.ConfigItems.teapot_admission_controller_validate_pod_images }}"
 
diff --git a/cluster/node-pools/master-default/userdata.yaml b/cluster/node-pools/master-default/userdata.yaml
@@ -205,7 +205,8 @@ write_files:
             limits:
               memory: {{ .Values.InstanceInfo.MemoryFraction (parseInt64 .Cluster.ConfigItems.apiserver_memory_limit_percent)}}
 {{- end }}
-        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-198
+        # - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-198
+        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/staging_namespace/teapot/admission-controller:pr-202-12
           name: admission-controller
           lifecycle:
             preStop:
@@ -273,7 +274,12 @@ write_files:
             - mountPath: /etc/kubernetes/ssl
               name: ssl-certs-kubernetes
               readOnly: true
+<<<<<<< HEAD
         - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/k8s-authnz-webhook:master-128
+=======
+        # - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/k8s-authnz-webhook:master-127
+        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/staging_namespace/teapot/k8s-authnz-webhook:pr-159-1
+>>>>>>> 3a6b5fb65 (Optional support for custom default service account)
           name: webhook
           ports:
           - containerPort: 8081
