[RFC-0010] Add default-service-account for lockdown
Add --default-service-account flag for multi-tenant workload identity lockdown support. This flag sets the default service account name to be used when .spec.serviceAccountName is not specified in resources. Signed-off-by: cappyzawa <cappyzawa@gmail.com>
This commit is contained in:
cappyzawa
parent
80b44ae0cf
commit
5dfa77feb3
2
go.mod
2
go.mod
|
|
@ -13,7 +13,7 @@ require (
|
|||
github.com/fluxcd/pkg/apis/acl v0.8.0
|
||||
github.com/fluxcd/pkg/apis/event v0.18.0
|
||||
github.com/fluxcd/pkg/apis/meta v1.18.0
|
||||
github.com/fluxcd/pkg/auth v0.21.0
|
||||
github.com/fluxcd/pkg/auth v0.27.0
|
||||
github.com/fluxcd/pkg/cache v0.10.0
|
||||
github.com/fluxcd/pkg/runtime v0.80.0
|
||||
github.com/fluxcd/pkg/version v0.9.0
|
||||
|
|
|
|||
4
go.sum
4
go.sum
|
|
@ -177,8 +177,8 @@ github.com/fluxcd/pkg/apis/event v0.18.0 h1:PNbWk9gvX8gMIi6VsJapnuDO+giLEeY+6olL
|
|||
github.com/fluxcd/pkg/apis/event v0.18.0/go.mod h1:7S/DGboLolfbZ6stO6dcDhG1SfkPWQ9foCULvbiYpiA=
|
||||
github.com/fluxcd/pkg/apis/meta v1.18.0 h1:ACHrMIjlcioE9GKS7NGk62KX4NshqNewr8sBwMcXABs=
|
||||
github.com/fluxcd/pkg/apis/meta v1.18.0/go.mod h1:97l3hTwBpJbXBY+wetNbqrUsvES8B1jGioKcBUxmqd8=
|
||||
github.com/fluxcd/pkg/auth v0.21.0 h1:ckAQqP12wuptXEkMY18SQKWEY09m9e6yI0mEMsDV15M=
|
||||
github.com/fluxcd/pkg/auth v0.21.0/go.mod h1:MXmpsXT97c874HCw5hnfqFUP7TsG8/Ss1vFrk8JccfM=
|
||||
github.com/fluxcd/pkg/auth v0.27.0 h1:DFsizUxt9ZDAc+z7+o7jcbtfaxRH55MRD/wdU4CXNCQ=
|
||||
github.com/fluxcd/pkg/auth v0.27.0/go.mod h1:YEAHpBFuW5oLlH9ekuJaQdnJ2Q3A7Ny8kha3WY7QMnY=
|
||||
github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY=
|
||||
github.com/fluxcd/pkg/cache v0.10.0/go.mod h1:pPXRzQUDQagsCniuOolqVhnAkbNgYOg8d2cTliPs7ME=
|
||||
github.com/fluxcd/pkg/runtime v0.80.0 h1:vknT2vdQSGTFnAhz4xGk2ZXUWCrXh3whsISStgA57Go=
|
||||
|
|
|
|||
|
|
@ -461,7 +461,8 @@ func TestImagePolicyReconciler_objectLevelWorkloadIdentityFeatureGate(t *testing
|
|||
t.Run("enabled", func(t *testing.T) {
|
||||
g := NewWithT(t)
|
||||
|
||||
t.Setenv(auth.EnvVarEnableObjectLevelWorkloadIdentity, "true")
|
||||
auth.EnableObjectLevelWorkloadIdentity()
|
||||
t.Cleanup(auth.DisableObjectLevelWorkloadIdentity)
|
||||
|
||||
namespaceName := "imagepolicy-" + randStringRunes(5)
|
||||
namespace := &corev1.Namespace{
|
||||
|
|
|
|||
|
|
@ -85,16 +85,15 @@ func (r *AuthOptionsGetter) GetOptions(ctx context.Context, repo *imagev1.ImageR
|
|||
|
||||
if provider := repo.GetProvider(); provider != "" && provider != "generic" {
|
||||
// Build login provider options and use it to attempt registry login.
|
||||
var opts []auth.Option
|
||||
opts := []auth.Option{
|
||||
auth.WithClient(r.Client),
|
||||
auth.WithServiceAccountNamespace(repo.GetNamespace()),
|
||||
}
|
||||
if proxyURL != nil {
|
||||
opts = append(opts, auth.WithProxyURL(*proxyURL))
|
||||
}
|
||||
if repo.Spec.ServiceAccountName != "" {
|
||||
serviceAccount := client.ObjectKey{
|
||||
Name: repo.Spec.ServiceAccountName,
|
||||
Namespace: repo.GetNamespace(),
|
||||
}
|
||||
opts = append(opts, auth.WithServiceAccount(serviceAccount, r.Client))
|
||||
opts = append(opts, auth.WithServiceAccountName(repo.Spec.ServiceAccountName))
|
||||
}
|
||||
if r.TokenCache != nil {
|
||||
opts = append(opts, auth.WithCache(*r.TokenCache, *involvedObject))
|
||||
|
|
|
|||
12
main.go
12
main.go
|
|
@ -96,6 +96,7 @@ func main() {
|
|||
rateLimiterOptions helper.RateLimiterOptions
|
||||
featureGates feathelper.FeatureGates
|
||||
tokenCacheOptions pkgcache.TokenFlags
|
||||
defaultServiceAccount string
|
||||
)
|
||||
|
||||
flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.")
|
||||
|
|
@ -114,11 +115,17 @@ func main() {
|
|||
featureGates.BindFlags(flag.CommandLine)
|
||||
watchOptions.BindFlags(flag.CommandLine)
|
||||
tokenCacheOptions.BindFlags(flag.CommandLine, tokenCacheDefaultMaxSize)
|
||||
flag.StringVar(&defaultServiceAccount, auth.ControllerFlagDefaultServiceAccount,
|
||||
"", "Default service account to use for workload identity when not specified in resources.")
|
||||
|
||||
flag.Parse()
|
||||
|
||||
logger.SetLogger(logger.NewLogger(logOptions))
|
||||
|
||||
if defaultServiceAccount != "" {
|
||||
auth.SetDefaultServiceAccount(defaultServiceAccount)
|
||||
}
|
||||
|
||||
if err := featureGates.WithLogger(setupLog).SupportedFeatures(features.FeatureGates()); err != nil {
|
||||
setupLog.Error(err, "unable to load feature gates")
|
||||
os.Exit(1)
|
||||
|
|
@ -132,6 +139,11 @@ func main() {
|
|||
auth.EnableObjectLevelWorkloadIdentity()
|
||||
}
|
||||
|
||||
if auth.InconsistentObjectLevelConfiguration() {
|
||||
setupLog.Error(auth.ErrInconsistentObjectLevelConfiguration, "invalid configuration")
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
badgerOpts := badger.DefaultOptions(storagePath)
|
||||
badgerOpts.ValueLogFileSize = storageValueLogFileSize
|
||||
badgerDB, err := badger.Open(badgerOpts)
|
||||
|
|
|
|||
Loading…
Reference in New Issue