Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow users to configure the serviceAccountName for the kanister pods #3421

Closed
alita1991 opened this issue Mar 25, 2025 · 2 comments
Closed

Allow users to configure the serviceAccountName for the kanister pods #3421

alita1991 opened this issue Mar 25, 2025 · 2 comments
Assignees
@viveksinghggits
Labels
enhancement triage

Comments

@alita1991
Copy link

Is your feature request related to a problem? Please describe.
I created a new blueprint that requires access to the K8s API to patch resources like ArgoCD, so I extended the Kanister operator's RBAC with additional roles. However, when executing the Kanister task in the application namespace, it defaults to using the standard service account.

kanister/pkg/kube/pod.go

Lines 79 to 87 in fa04d77

// If a ServiceAccount is not specified and we are in the controller's
// namespace, use the same service account as the controller.
sa := opts.ServiceAccountName
if sa == "" && ns == cns {
sa, err = GetControllerServiceAccount(cli)
if err != nil {
return nil, errors.Wrap(err, "Failed to get Controller Service Account")
}
}

Describe the solution you'd like
The serviceAccountName field should be configurable (with this solution, an user can provision the required RBAC + serviceAccount)

Environment
Kubernetes Version/Provider: AWS EKS 1.31
Storage Provider: AWS EBS
Cluster Size (#nodes): 6 nodes (3 masters + 3 workers)
Data Size: 10Gi

Additional context
The default service account does not allow the users to perform the actions that the kanister operator service account can do.
@github-actions GitHub Actions
Copy link
Contributor

Thanks for opening this issue 👍. The team will review it shortly.

If this is a bug report, make sure to include clear instructions how on to reproduce the problem with minimal reproducible examples, where possible. If this is a security report, please review our security policy as outlined in SECURITY.md.

If you haven't already, please take a moment to review our project's Code of Conduct document.

@viveksinghggits
Copy link
Contributor

This question is answered here in this slack thread https://cloud-native.slack.com/archives/C08J4RJC9HA/p1742927225143149?thread_ts=1742826287.333369&cid=C08J4RJC9HA

Like documented here (https://docs.kanister.io/functions.html#kubetask), the serviceAccount for the KubeTask pod can be configured using the function argument podOverride. Below is how it can be used

- func: KubeTask
  name: examplePhase
  args:
    namespace: "{{ .Deployment.Namespace }}"
    image: busybox
    podOverride:
      serviceAccountName: <serviceaccount-name>
      containers:
      - name: container
        imagePullPolicy: IfNotPresent
    podAnnotations:
      annKey: annValue
    podLabels:
      labelKey: labelValue
    command:
      - sh
      - -c
      - |
        echo "Example"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@viveksinghggits viveksinghggits

Labels
enhancement triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@viveksinghggits @alita1991