Merge pull request #1284 from cappyzawa/rfc-0010-multi-tenancy-lockdown

[RFC-0010] Add multi-tenancy lockdown for kubeconfig

Author: matheuscscp

go.mod

@@ -22,10 +22,10 @@ require (
 	github.com/fluxcd/pkg/apis/event v0.18.0
 	github.com/fluxcd/pkg/apis/kustomize v1.11.0
 	github.com/fluxcd/pkg/apis/meta v1.18.0
-	github.com/fluxcd/pkg/auth v0.23.0
+	github.com/fluxcd/pkg/auth v0.26.0
 	github.com/fluxcd/pkg/cache v0.10.0
 	github.com/fluxcd/pkg/chartutil v1.9.0
-	github.com/fluxcd/pkg/runtime v0.72.0
+	github.com/fluxcd/pkg/runtime v0.80.0
 	github.com/fluxcd/pkg/ssa v0.51.0
 	github.com/fluxcd/pkg/testserver v0.11.0
 	github.com/fluxcd/source-controller/api v1.6.0

go.sum

@@ -154,14 +154,14 @@ github.com/fluxcd/pkg/apis/kustomize v1.11.0 h1:0IzDgxZkc4v+5SDNCvgZhfwfkdkQLPXC
 github.com/fluxcd/pkg/apis/kustomize v1.11.0/go.mod h1:j302mJGDww8cn9qvMsRQ0LJ1HPAPs/IlX7CSsoJV7BI=
 github.com/fluxcd/pkg/apis/meta v1.18.0 h1:ACHrMIjlcioE9GKS7NGk62KX4NshqNewr8sBwMcXABs=
 github.com/fluxcd/pkg/apis/meta v1.18.0/go.mod h1:97l3hTwBpJbXBY+wetNbqrUsvES8B1jGioKcBUxmqd8=
-github.com/fluxcd/pkg/auth v0.23.0 h1:Xt89QO1Hzh7X0JFwCeONyxMlgOX/zOPx0eyIyFoKyF0=
-github.com/fluxcd/pkg/auth v0.23.0/go.mod h1:YEAHpBFuW5oLlH9ekuJaQdnJ2Q3A7Ny8kha3WY7QMnY=
+github.com/fluxcd/pkg/auth v0.26.0 h1:jw128zPI4aRSvkGbFfAQcFNF3oK58P4rDdKIpj2/7yM=
+github.com/fluxcd/pkg/auth v0.26.0/go.mod h1:YEAHpBFuW5oLlH9ekuJaQdnJ2Q3A7Ny8kha3WY7QMnY=
 github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY=
 github.com/fluxcd/pkg/cache v0.10.0/go.mod h1:pPXRzQUDQagsCniuOolqVhnAkbNgYOg8d2cTliPs7ME=
 github.com/fluxcd/pkg/chartutil v1.9.0 h1:MnDKBNX7JXKe7E+J0F+eKnKsVYRC8bNQatv2HpmgSRQ=
 github.com/fluxcd/pkg/chartutil v1.9.0/go.mod h1:R0RfP6ZOtndKXkE1QGLvWLFDubKvh0fJlZeGHzndAfQ=
-github.com/fluxcd/pkg/runtime v0.72.0 h1:9JCto84iL2FziuTuuvDwvS+cfIzGhHOk25y8ulXpNOs=
-github.com/fluxcd/pkg/runtime v0.72.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
+github.com/fluxcd/pkg/runtime v0.80.0 h1:vknT2vdQSGTFnAhz4xGk2ZXUWCrXh3whsISStgA57Go=
+github.com/fluxcd/pkg/runtime v0.80.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/ssa v0.51.0 h1:sFarxKZcS0J8sjq9qvs/r+1XiJqNgRodEiPjV75F8R4=
 github.com/fluxcd/pkg/ssa v0.51.0/go.mod h1:v+h9RC0JxWIqMTK2Eo+8Nh700AXyZChZ2TiLVj4tf3M=
 github.com/fluxcd/pkg/testserver v0.11.0 h1:a/kxpFqv7XQxZjwVPP3voooRmSd/3ipLVolK0xUIxXQ=

main.go

@@ -84,28 +84,29 @@ func main() {
 	)
 
 	var (
-		metricsAddr               string
-		eventsAddr                string
-		healthAddr                string
-		concurrent                int
-		requeueDependency         time.Duration
-		gracefulShutdownTimeout   time.Duration
-		httpRetry                 int
-		clientOptions             client.Options
-		kubeConfigOpts            client.KubeConfigOptions
-		featureGates              feathelper.FeatureGates
-		logOptions                logger.Options
-		aclOptions                acl.Options
-		leaderElectionOptions     leaderelection.Options
-		rateLimiterOptions        helper.RateLimiterOptions
-		watchOptions              helper.WatchOptions
-		intervalJitterOptions     jitter.IntervalOptions
-		oomWatchInterval          time.Duration
-		oomWatchMemoryThreshold   uint8
-		oomWatchMaxMemoryPath     string
-		oomWatchCurrentMemoryPath string
-		snapshotDigestAlgo        string
-		tokenCacheOptions         cache.TokenFlags
+		metricsAddr                     string
+		eventsAddr                      string
+		healthAddr                      string
+		concurrent                      int
+		requeueDependency               time.Duration
+		gracefulShutdownTimeout         time.Duration
+		httpRetry                       int
+		clientOptions                   client.Options
+		kubeConfigOpts                  client.KubeConfigOptions
+		featureGates                    feathelper.FeatureGates
+		logOptions                      logger.Options
+		aclOptions                      acl.Options
+		leaderElectionOptions           leaderelection.Options
+		rateLimiterOptions              helper.RateLimiterOptions
+		watchOptions                    helper.WatchOptions
+		intervalJitterOptions           jitter.IntervalOptions
+		oomWatchInterval                time.Duration
+		oomWatchMemoryThreshold         uint8
+		oomWatchMaxMemoryPath           string
+		oomWatchCurrentMemoryPath       string
+		snapshotDigestAlgo              string
+		tokenCacheOptions               cache.TokenFlags
+		defaultKubeConfigServiceAccount string
 	)
 
 	flag.StringVar(&metricsAddr, "metrics-addr", ":8080",
@@ -122,8 +123,10 @@ func main() {
 		"The duration given to the reconciler to finish before forcibly stopping.")
 	flag.IntVar(&httpRetry, "http-retry", 9,
 		"The maximum number of retries when failing to fetch artifacts over HTTP.")
-	flag.StringVar(&intkube.DefaultServiceAccountName, "default-service-account", "",
+	flag.StringVar(&intkube.DefaultServiceAccountName, auth.ControllerFlagDefaultServiceAccount, "",
 		"Default service account used for impersonation.")
+	flag.StringVar(&defaultKubeConfigServiceAccount, auth.ControllerFlagDefaultKubeConfigServiceAccount, "",
+		"Default service account used for kubeconfig.")
 	flag.Uint8Var(&oomWatchMemoryThreshold, "oom-watch-memory-threshold", 95,
 		"The memory threshold in percentage at which the OOM watcher will trigger a graceful shutdown. Requires feature gate 'OOMWatch' to be enabled.")
 	flag.DurationVar(&oomWatchInterval, "oom-watch-interval", 500*time.Millisecond,
@@ -165,6 +168,10 @@ func main() {
 		auth.EnableObjectLevelWorkloadIdentity()
 	}
 
+	if defaultKubeConfigServiceAccount != "" {
+		auth.SetDefaultKubeConfigServiceAccount(defaultKubeConfigServiceAccount)
+	}
+
 	if err := intervalJitterOptions.SetGlobalJitter(nil); err != nil {
 		setupLog.Error(err, "unable to set global jitter")
 		os.Exit(1)