-
Notifications
You must be signed in to change notification settings - Fork 380
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
helm: add an rthooks serviceAccount section #2859
Conversation
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks reasonable!
I would be curious about why we need this service account since it seems to be associated with no role.
7dfb15e
to
8169e10
Compare
Thanks @mtardy! pushed a new version that sets the default value of |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As Mahe wrote it may have been enough to make the SA name configurable in the rthooks DaemonSet but it still looks good to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we can just make the ServiceAccountName
configurable, I guess it would be enough?
install/kubernetes/tetragon/templates/rthooks_serviceaccount.yaml
Outdated
Show resolved
Hide resolved
8169e10
to
d9ce585
Compare
Thanks Mahé! pushed a new version, PTAL. |
tested via: helm template tetragon --set rthooks.enabled=true --set rthooks.interface=nri-hook ./install/kubernetes/tetragon | sed -n '/^.*tetragon\/templates\/rthooks-daemonset.yaml/,/^---$/p' | grep serviceAccountName helm template tetragon --set rthooks.enabled=true --set rthooks.interface=nri-hook --set rthooks.serviceAccount.name=pizza ./install/kubernetes/tetragon | sed -n '/^.*tetragon\/templates\/rthooks-daemonset.yaml/,/^---$/p' | grep serviceAccountName serviceAccountName: pizza Signed-off-by: Kornilios Kourtis <[email protected]>
d9ce585
to
d1dc341
Compare
Pushed a new version due to conflicts. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great, can you recheck @fgiloux to make sure everything looks good on your side?
@@ -395,3 +395,6 @@ rthooks: | |||
override: ~ | |||
repository: quay.io/cilium/tetragon-rthooks | |||
tag: v0.3 | |||
# -- rthooks service account. | |||
serviceAccount: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIRC in the previous version the default was the release name, like for the agent.
With the new version you don't get the credentials of the tetragon SA to access the API. An alternative approach to achieve the same is with adding automountServiceAccountToken: false
to spec.template.spec of the rthooks daemonset. This may be very specific to OpenShift but the SA identity will be checked for admitting a pod using hostpath. Both the agent and the rthooks daemonset need it, which means that their respective SAs need to be bound to a convenient SCC.
The answer may be documentation but I wanted to mention this point.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the new version you don't get the credentials of the tetragon SA to access the API
API here being the k8s API server, correct? I think that's fine since rthooks does not need access to the API server. I think I'll just merge the change for now. Once/if we have a concrete problem, it would be easier to figure it out then.
Thanks!
No description provided.