Skip to content

Commit

Permalink
Optional support for custom default service account
Browse files Browse the repository at this point in the history
Signed-off-by: Mikkel Oscar Lyderik Larsen <mikkel.larsen@zalando.de>
  • Loading branch information
mikkeloscar committed Apr 12, 2024
1 parent 9ff5d39 commit 1636e13
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 2 deletions.
4 changes: 4 additions & 0 deletions cluster/config-defaults.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -594,6 +594,10 @@ teapot_admission_controller_crd_role_provisioning_allowed_api_groups: "flink.k8s
teapot_admission_controller_topology_spread: optin
teapot_admission_controller_topology_spread_timeout: 7m

# Inject custom default service account to identify client pods using default SA
# to read from the Kubernetes API.
teapot_admission_controller_custom_default_service_account: "false"


# Enable and configure runtime-policy annotation
{{if eq .Cluster.Environment "production"}}
Expand Down
4 changes: 4 additions & 0 deletions cluster/manifests/01-admission-control/config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,10 @@ data:
podfactory.base-image-check.namespaces: "{{ .Cluster.ConfigItems.teapot_admission_controller_validate_base_images_namespaces }}"
{{- end }}

{{- if eq .Cluster.ConfigItems.teapot_admission_controller_custom_default_service_account "true"}}
podfactory.custom-default-service-account.enable: "true"
{{- end }}

# This setting enables and disables the container image compliance checks
pod.image-check.enable: "{{ .Cluster.ConfigItems.teapot_admission_controller_validate_pod_images }}"

Expand Down
6 changes: 4 additions & 2 deletions cluster/node-pools/master-default/userdata.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -205,7 +205,8 @@ write_files:
limits:
memory: {{ .Values.InstanceInfo.MemoryFraction (parseInt64 .Cluster.ConfigItems.apiserver_memory_limit_percent)}}
{{- end }}
- image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-198
# - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-198
- image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/staging_namespace/teapot/admission-controller:pr-202-12
name: admission-controller
lifecycle:
preStop:
Expand Down Expand Up @@ -273,7 +274,8 @@ write_files:
- mountPath: /etc/kubernetes/ssl
name: ssl-certs-kubernetes
readOnly: true
- image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/k8s-authnz-webhook:master-128
# - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/k8s-authnz-webhook:master-128
- image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/staging_namespace/teapot/k8s-authnz-webhook:pr-159-4
name: webhook
ports:
- containerPort: 8081
Expand Down

0 comments on commit 1636e13

Please sign in to comment.