[RFC-0010] Add default-service-account for lockdown

Add --default-service-account flag for multi-tenant workload identity lockdown support. This flag sets the default service account name to be used when .spec.serviceAccountName is not specified in resources. Signed-off-by: cappyzawa <cappyzawa@gmail.com>
2025-08-17 06:04:55 +09:00 · 2025-08-17 06:04:55 +09:00 · f62fa803ef
parent efa9671ebc
commit f62fa803ef
4 changed files with 14 additions and 4 deletions
--- a/go.mod
+++ b/go.mod
@ -20,7 +20,7 @@ require (
 	github.com/fluxcd/pkg/apis/acl v0.8.0
 	github.com/fluxcd/pkg/apis/event v0.18.0
 	github.com/fluxcd/pkg/apis/meta v1.18.0
-	github.com/fluxcd/pkg/auth v0.21.0
+	github.com/fluxcd/pkg/auth v0.26.0
 	github.com/fluxcd/pkg/cache v0.10.0
 	github.com/fluxcd/pkg/git v0.35.0
 	github.com/fluxcd/pkg/git/gogit v0.38.0
--- a/go.sum
+++ b/go.sum
@ -134,8 +134,8 @@ github.com/fluxcd/pkg/apis/event v0.18.0 h1:PNbWk9gvX8gMIi6VsJapnuDO+giLEeY+6olL
 github.com/fluxcd/pkg/apis/event v0.18.0/go.mod h1:7S/DGboLolfbZ6stO6dcDhG1SfkPWQ9foCULvbiYpiA=
 github.com/fluxcd/pkg/apis/meta v1.18.0 h1:ACHrMIjlcioE9GKS7NGk62KX4NshqNewr8sBwMcXABs=
 github.com/fluxcd/pkg/apis/meta v1.18.0/go.mod h1:97l3hTwBpJbXBY+wetNbqrUsvES8B1jGioKcBUxmqd8=
-github.com/fluxcd/pkg/auth v0.21.0 h1:ckAQqP12wuptXEkMY18SQKWEY09m9e6yI0mEMsDV15M=
-github.com/fluxcd/pkg/auth v0.21.0/go.mod h1:MXmpsXT97c874HCw5hnfqFUP7TsG8/Ss1vFrk8JccfM=
+github.com/fluxcd/pkg/auth v0.26.0 h1:jw128zPI4aRSvkGbFfAQcFNF3oK58P4rDdKIpj2/7yM=
+github.com/fluxcd/pkg/auth v0.26.0/go.mod h1:YEAHpBFuW5oLlH9ekuJaQdnJ2Q3A7Ny8kha3WY7QMnY=
 github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY=
 github.com/fluxcd/pkg/cache v0.10.0/go.mod h1:pPXRzQUDQagsCniuOolqVhnAkbNgYOg8d2cTliPs7ME=
 github.com/fluxcd/pkg/git v0.35.0 h1:mAauhsdfxNW4yQdXviVlvcN/uCGGG0+6p5D1+HFZI9w=
--- a/internal/source/git.go
+++ b/internal/source/git.go
@ -204,7 +204,10 @@ func getAuthOpts(ctx context.Context, c client.Client, repo *sourcev1.GitReposit
 	switch provider := repo.GetProvider(); provider {
 	case sourcev1.GitProviderAzure: // If AWS or GCP are added in the future they can be added here separated by a comma.
 		getCreds = func() (*authutils.GitCredentials, error) {
-			var opts []auth.Option
+			opts := []auth.Option{
+				auth.WithClient(c),
+				auth.WithServiceAccountNamespace(srcOpts.objNamespace),
+			}

 			if srcOpts.tokenCache != nil {
 				involvedObject := cache.InvolvedObject{
--- a/main.go
+++ b/main.go
@ -93,12 +93,15 @@ func main() {
 		watchOptions          helper.WatchOptions
 		concurrent            int
 		tokenCacheOptions     cache.TokenFlags
+		defaultServiceAccount string
 	)

 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
 	flag.StringVar(&eventsAddr, "events-addr", "", "The address of the events receiver.")
 	flag.StringVar(&healthAddr, "health-addr", ":9440", "The address the health endpoint binds to.")
 	flag.IntVar(&concurrent, "concurrent", 4, "The number of concurrent resource reconciles.")
+	flag.StringVar(&defaultServiceAccount, auth.ControllerFlagDefaultServiceAccount,
+		"", "Default service account to use for workload identity when not specified in resources.")
 	flag.StringSliceVar(&git.KexAlgos, "ssh-kex-algos", []string{},
 		"The list of key exchange algorithms to use for ssh connections, arranged from most preferred to the least.")
 	flag.StringSliceVar(&git.HostKeyAlgos, "ssh-hostkey-algos", []string{},
@ -115,6 +118,10 @@ func main() {

 	flag.Parse()

+	if defaultServiceAccount != "" {
+		auth.SetDefaultServiceAccount(defaultServiceAccount)
+	}
+
 	logger.SetLogger(logger.NewLogger(logOptions))

 	err := featureGates.WithLogger(setupLog).