Merge pull request #2035 from chaunceyjiang/auto_propagate_sa

Propagate dependencies add support propagate ServiceAccount
2022-08-02 19:50:59 +08:00 · 2022-08-02 19:50:59 +08:00 · 7c728707fc
parent 65757bf124 0014bc2aed
commit 7c728707fc
3 changed files with 47 additions and 3 deletions
--- a/docs/userguide/propagate-dependencies.md
+++ b/docs/userguide/propagate-dependencies.md
@ -1,5 +1,5 @@
 # Propagate dependencies
-Deployment, Job, Pod, DaemonSet and StatefulSet dependencies (ConfigMaps and Secrets) can be propagated to member
+Deployment, Job, Pod, DaemonSet and StatefulSet dependencies (ConfigMaps, Secrets and ServiceAccounts) can be propagated to member
 clusters automatically. This document demonstrates how to use this feature. For more design details, please refer to
 [dependencies-automatically-propagation](../proposals/dependencies-automatically-propagation/README.md)

--- a/pkg/resourceinterpreter/defaultinterpreter/dependencies.go
+++ b/pkg/resourceinterpreter/defaultinterpreter/dependencies.go
@ -111,7 +111,7 @@ func getStatefulSetDependencies(object *unstructured.Unstructured) ([]configv1al
 func getDependenciesFromPodTemplate(podObj *corev1.Pod) ([]configv1alpha1.DependentObjectReference, error) {
 	dependentConfigMaps := getConfigMapNames(podObj)
 	dependentSecrets := getSecretNames(podObj)
-
+	dependentSas := getServiceAccountNames(podObj)
 	var dependentObjectRefs []configv1alpha1.DependentObjectReference
 	for cm := range dependentConfigMaps {
 		dependentObjectRefs = append(dependentObjectRefs, configv1alpha1.DependentObjectReference{
@ -130,7 +130,14 @@ func getDependenciesFromPodTemplate(podObj *corev1.Pod) ([]configv1alpha1.Depend
 			Name:       secret,
 		})
 	}
-
+	for sa := range dependentSas {
+		dependentObjectRefs = append(dependentObjectRefs, configv1alpha1.DependentObjectReference{
+			APIVersion: "v1",
+			Kind:       "ServiceAccount",
+			Namespace:  podObj.Namespace,
+			Name:       sa,
+		})
+	}
 	return dependentObjectRefs, nil
 }

@ -143,6 +150,14 @@ func getSecretNames(pod *corev1.Pod) sets.String {
 	return result
 }

+func getServiceAccountNames(pod *corev1.Pod) sets.String {
+	result := sets.NewString()
+	if pod.Spec.ServiceAccountName != "" && pod.Spec.ServiceAccountName != "default" {
+		result.Insert(pod.Spec.ServiceAccountName)
+	}
+	return result
+}
+
 func getConfigMapNames(pod *corev1.Pod) sets.String {
 	result := sets.NewString()
 	lifted.VisitPodConfigmapNames(pod, func(name string) bool {
--- a/pkg/resourceinterpreter/defaultinterpreter/dependencies_test.go
+++ b/pkg/resourceinterpreter/defaultinterpreter/dependencies_test.go
@ -158,3 +158,32 @@ func TestGetDependenciesFromPodTemplate(t *testing.T) {
 		})
 	}
 }
+
+func Test_getServiceAccountNames(t *testing.T) {
+	type args struct {
+		pod *corev1.Pod
+	}
+	tests := []struct {
+		name string
+		args args
+		want sets.String
+	}{
+		{
+			name: "get ServiceAccountName from pod ",
+			args: args{pod: &corev1.Pod{Spec: corev1.PodSpec{ServiceAccountName: "test"}}},
+			want: sets.NewString("test"),
+		},
+		{
+			name: "get default ServiceAccountName from pod ",
+			args: args{pod: &corev1.Pod{Spec: corev1.PodSpec{ServiceAccountName: "default"}}},
+			want: sets.NewString(),
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := getServiceAccountNames(tt.args.pod); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("getServiceAccountNames() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}