Add ServiceAccount for svclb pods

For 1.24 and earlier, the svclb pods need a ServiceAccount so that we can allow their sysctls in PSPs Signed-off-by: Brad Davidson <brad.davidson@rancher.com>

Add ServiceAccount for svclb pods
For 1.24 and earlier, the svclb pods need a ServiceAccount so that we can allow their sysctls in PSPs Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
f25419ca · Brad Davidson · Brad Davidson · 8016ae2b · f25419ca
Commit f25419ca authored 2 years ago by Brad Davidson Committed by Brad Davidson 2 years ago
Hide whitespace changes
Inline Side-by-side

Showing

with 19 additions and 0 deletions
+19 -0
--- a/pkg/cloudprovider/servicelb.go
+++ b/pkg/cloudprovider/servicelb.go
@@ -56,6 +56,10 @@ func (k *k3s) Register(ctx context.Context,
 		return err
 	}

+	if err := k.createServiceLBServiceAccount(ctx); err != nil {
+		return err
+	}
+
 	go wait.Until(k.runWorker, time.Second, ctx.Done())

 	return k.removeServiceFinalizers(ctx)
@@ -74,6 +78,20 @@ func (k *k3s) createServiceLBNamespace(ctx context.Context) error {
 	return err
 }

+// createServiceLBServiceAccount ensures that the ServiceAccount used by pods exists
+func (k *k3s) createServiceLBServiceAccount(ctx context.Context) error {
+	_, err := k.client.CoreV1().ServiceAccounts(k.LBNamespace).Create(ctx, &core.ServiceAccount{
+		ObjectMeta: meta.ObjectMeta{
+			Name:      "svclb",
+			Namespace: k.LBNamespace,
+		},
+	}, meta.CreateOptions{})
+	if apierrors.IsAlreadyExists(err) {
+		return nil
+	}
+	return err
+}
+
 // onChangePod handles changes to Pods.
 // If the pod has labels that tie it to a service, and the pod has an IP assigned,
 // enqueue an update to the service's status.
@@ -422,6 +440,7 @@ func (k *k3s) newDaemonSet(svc *core.Service) (*apps.DaemonSet, error) {
 					},
 				},
 				Spec: core.PodSpec{
+					ServiceAccountName:           "svclb",
 					AutomountServiceAccountToken: utilpointer.Bool(false),
 				},
 			},