feat(chart): add automountServiceAccountToken support, more commonAnnotations #1754
Conversation
…upport This PR adds two new features to the Helm chart: 1. **serviceAccount.automountServiceAccountToken**: Allows controlling whether the service account token is automatically mounted. Useful for security hardening when using projected volumes for token access. Only renders when explicitly set, preserving default Kubernetes behavior. 2. **commonAnnotations**: Adds the ability to specify annotations that will be applied to all resources created by the chart. This is useful for organizational metadata, ownership tracking, or policy enforcement. Additionally, moves --secure-port arg after defaultArgs for better arg ordering flexibility. All features are backward compatible with existing deployments. Signed-off-by: jgonzalez <[email protected]>
k8s-ci-robot
added
the
kind/feature
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Jacobious52 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
k8s-ci-robot
added
cncf-cla: yes
|
This issue is currently awaiting triage. If metrics-server contributors determine this is a relevant issue, they will accept it by applying the The DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Welcome @Jacobious52! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @Jacobious52. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/M
stevehipwell
left a comment
stevehipwell
left a comment
There was a problem hiding this comment.
Thanks for the PR @Jacobious52, I've added a few review comments.
FYI you're overlapping with #1752.
| secrets: [] | ||
| # Specifies whether to automount the service account token | ||
| # When not set, Kubernetes default (true) is used | ||
| # automountServiceAccountToken: true |
There was a problem hiding this comment.
| # automountServiceAccountToken: true | |
| automountToken: |
This is already in the service account context, and all values need to be declared in the values file.
You can use the following pattern to set the field.
{{- if ne .Values.serviceAccount.automountToken nil }}
...
{{- end }}
| {{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }} | ||
| automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} | ||
| {{- end }} |
There was a problem hiding this comment.
If you're making this change for security hardening you'll likely also need to modify the deployment.
| {{- range .Values.defaultArgs }} | ||
| - {{ . }} | ||
| {{- end }} | ||
| - {{ printf "--secure-port=%d" (int .Values.containerPort) }} |
There was a problem hiding this comment.
I don't agree with this change. FYI this chart is designed to work with the official image or a hardened image built from the upstream source.
There was a problem hiding this comment.
No worries. The issue for our usage is for our hardened environment we are required to use a custom entry point in a hardened image forked from upstream and call the application binary as the first arg.
e.g.
args:
- /metrics-server
- args.
github-project-automation
bot
moved this from Needs Triage
to In Progress
in SIG Instrumentation
|
Thanks for your review @stevehipwell. I see I've overlapped with #1752 for annotations and our hardened image requirements are unique to us. So I'll close this and we'll just maintain and internal fork. |
github-project-automation
bot
moved this from In Progress
to Closed
in SIG Instrumentation
|
@Jacobious52 some of your annotation changes are net new so happy to take them. Was just a heads up and a chance to compare patterns. Also happy to take the service account changes. |
|
@stevehipwell Ah I jumped the gun there. Okay happy to try reconcile the annotation changes, and fix up SA token and add to the deployment. I'll leave the arg ordering out. Give me a bit of time and I'll make a commit. Cheers |
github-project-automation
bot
moved this from Closed
to In Progress
in SIG Instrumentation
Jacobious52
changed the title
3 participants
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR adds two new features to the Helm chart:
1.
serviceAccount.automountServiceAccountTokenAllows controlling whether the service account token is automatically mounted. This is useful for security hardening when using projected volumes for manual token access instead of automatic mounting.
Usage:
Only renders when explicitly set, preserving default Kubernetes behavior (no diff when omitted).
2.
commonAnnotationsAdds the ability to specify annotations that will be applied to all resources created by the chart. This is useful for:
Usage:
Applied to: ServiceAccount, ClusterRoles, ClusterRoleBindings, RoleBinding, Service, Deployment, PDB, APIService.
3. Arg ordering improvement
Moves
--secure-portarg afterdefaultArgsfor better flexibility when users need to control argument ordering.Required when using a custom image and entry point and need to specify metrics-server binary.
Which issue(s) this PR fixes:
None - new feature request.
Special notes for your reviewer:
Chart.yamlmodifications per contributing guidelinesautomountServiceAccountTokenis not set, no diff is produced (uses Kubernetes default)commonAnnotationsis merged with resource-specific annotations (e.g.,service.annotations), with resource-specific taking precedenceDoes this PR introduce a user-facing change?