From f08069fe6c70d29f8214547ce880852458e47d27 Mon Sep 17 00:00:00 2001
From: urlampranita <pranitaurlam@gmail.com>
Date: Wed, 28 Jan 2026 09:58:56 +0530
Subject: [PATCH 1/2] Limit kubeconfig generation to warnet-user service
 account

---
 src/warnet/admin.py | 4 ++--
 src/warnet/k8s.py   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/warnet/admin.py b/src/warnet/admin.py
index 233a220e9..7889fa384 100644
--- a/src/warnet/admin.py
+++ b/src/warnet/admin.py
@@ -11,7 +11,7 @@
     K8sError,
     get_cluster_of_current_context,
     get_namespaces_by_type,
-    get_service_accounts_in_namespace,
+    get_warnet_user_service_accounts_in_namespace,
     open_kubeconfig,
 )
 from .namespaces import copy_namespaces_defaults, namespaces
@@ -84,7 +84,7 @@ def create_kubeconfigs(kubeconfig_dir, token_duration):
     for v1namespace in warnet_namespaces:
         namespace = v1namespace.metadata.name
         click.echo(f"Processing namespace: {namespace}")
-        service_accounts = get_service_accounts_in_namespace(namespace)
+        service_accounts = get_warnet_user_service_accounts_in_namespace(namespace)
 
         for sa in service_accounts:
             # Create a token for the ServiceAccount with specified duration
diff --git a/src/warnet/k8s.py b/src/warnet/k8s.py
index 528dfe34f..7a21ca0d5 100644
--- a/src/warnet/k8s.py
+++ b/src/warnet/k8s.py
@@ -489,14 +489,14 @@ def get_namespaces_by_type(namespace_type: str) -> list[V1Namespace]:
     return [ns for ns in namespaces if ns.metadata.name.startswith(namespace_type)]
 
 
-def get_service_accounts_in_namespace(namespace):
+def get_warnet_user_service_accounts_in_namespace(namespace):
     """
     Get all service accounts in a namespace. Returns an empty list if no service accounts are found in the specified namespace.
     """
     command = f"kubectl get serviceaccounts -n {namespace} -o jsonpath={{.items[*].metadata.name}}"
     # skip the default service account created by k8s
     service_accounts = run_command(command).split()
-    return [sa for sa in service_accounts if sa != "default"]
+    return [sa for sa in service_accounts if sa == "warnet-user"]
 
 
 def can_delete_pods(namespace: Optional[str] = None) -> bool:

From 3bb3ba6f08e9d9a88af83d1dc30a50d8032f0d10 Mon Sep 17 00:00:00 2001
From: urlampranita <pranitaurlam@gmail.com>
Date: Wed, 28 Jan 2026 10:42:28 +0530
Subject: [PATCH 2/2] Fix filter to exclude commander accounts instead of only
 allowing warnet-user

---
 src/warnet/k8s.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/warnet/k8s.py b/src/warnet/k8s.py
index 7a21ca0d5..e3ba9e792 100644
--- a/src/warnet/k8s.py
+++ b/src/warnet/k8s.py
@@ -494,9 +494,9 @@ def get_warnet_user_service_accounts_in_namespace(namespace):
     Get all service accounts in a namespace. Returns an empty list if no service accounts are found in the specified namespace.
     """
     command = f"kubectl get serviceaccounts -n {namespace} -o jsonpath={{.items[*].metadata.name}}"
-    # skip the default service account created by k8s
+    # skip the default service account created by k8s and commander service accounts created by scenarios
     service_accounts = run_command(command).split()
-    return [sa for sa in service_accounts if sa == "warnet-user"]
+    return [sa for sa in service_accounts if sa != "default" and not sa.startswith("commander-")]
 
 
 def can_delete_pods(namespace: Optional[str] = None) -> bool: