Add projected SA token support to controller-manager chart#6873
Conversation
FedRAMP Gatekeeper can require controller-manager pods to disable automatic service account token mounting. The controller still uses in-cluster Kubernetes authentication, so when automatic mounting is disabled the chart needs to provide the same token, CA, and namespace files through an explicit projected volume. The tidb-operator chart now exposes controllerManager.automountServiceAccountToken, defaults it to true to preserve existing behavior, and mounts a projected service account token volume when it is set to false. Constraint: FedRAMP block-automount-serviceaccount-token-pod policy rejects automatic service account token mounting Rejected: Require users to patch controller-manager-deployment.yaml locally | keeps FedRAMP deployments on an unreviewed chart fork Confidence: high Scope-risk: narrow Directive: Keep the projected volume path aligned with Kubernetes' default service account token path because client-go in-cluster config reads from there Tested: helm lint charts/tidb-operator Tested: helm template test charts/tidb-operator --namespace tidb-admin Tested: helm template test charts/tidb-operator --namespace tidb-admin --set controllerManager.automountServiceAccountToken=false Tested: git diff --check
|
/retest |
|
/test pull-e2e-kind-br |
|
/retest |
|
/test pull-e2e-kind-tidbcluster |
|
/lgtm |
[LGTM Timeline notifier]Timeline:
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liubog2008 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/cherry-pick release-1.6 |
|
@liubog2008: once the present PR merges, I will cherry-pick it on top of release-1.6 in the new PR and assign it to you. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository. |
|
@liubog2008: new pull request created to branch DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the ti-community-infra/tichi repository. |
3 participants
What problem does this PR solve?
FedRAMP Gatekeeper can enforce
block-automount-serviceaccount-token-pod, requiring controller-manager pods to run withautomountServiceAccountToken: false.When automatic service account token mounting is disabled, controller-manager still needs the standard in-cluster credential files under
/var/run/secrets/kubernetes.io/serviceaccountso client-go can authenticate to the Kubernetes API.What is changed and how does it work?
This adds
controllerManager.automountServiceAccountTokento the tidb-operator chart, defaulting totrueto preserve current behavior.When set to
false, the chart renders:automountServiceAccountToken: falsein the controller-manager pod specsa-tokenvolumeMount at/var/run/secrets/kubernetes.io/serviceaccounttokenkube-root-ca.crtconfigmap item atca.crtnamespaceExample:
Check List
Tests
Side effects
Release note
Verification
helm lint charts/tidb-operatorhelm template test charts/tidb-operator --namespace tidb-adminhelm template test charts/tidb-operator --namespace tidb-admin --set controllerManager.automountServiceAccountToken=falsegit diff --check