Skip to content

Commit b35030a

Browse files
jelobajeloba
committed
Don't create default ServiceAccounts
1 parent 161c86b commit b35030a

File tree

2 files changed

+46
-4
lines changed

2 files changed

+46
-4
lines changed

pkg/controller/registry/resolver/step_resolver_test.go

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -831,6 +831,19 @@ func TestNamespaceResolverRBAC(t *testing.T) {
831831
},
832832
}
833833
bundle := bundleWithPermissions("a.v1", "a", "alpha", "", nil, nil, nil, nil, simplePermissions, simplePermissions)
834+
defaultServiceAccountPermissions := []v1alpha1.StrategyDeploymentPermissions{
835+
{
836+
ServiceAccountName: "default",
837+
Rules: []rbacv1.PolicyRule{
838+
{
839+
Verbs: []string{"get", "list"},
840+
APIGroups: []string{""},
841+
Resources: []string{"configmaps"},
842+
},
843+
},
844+
},
845+
}
846+
bundleWithDefaultServiceAccount := bundleWithPermissions("a.v1", "a", "alpha", "", nil, nil, nil, nil, defaultServiceAccountPermissions, defaultServiceAccountPermissions)
834847
type out struct {
835848
steps [][]*v1alpha1.Step
836849
subs []*v1alpha1.Subscription
@@ -857,6 +870,21 @@ func TestNamespaceResolverRBAC(t *testing.T) {
857870
},
858871
},
859872
},
873+
{
874+
name: "don't create default service accounts",
875+
clusterState: []runtime.Object{
876+
newSub(namespace, "a", "alpha", catalog),
877+
},
878+
bundlesInCatalog: []*api.Bundle{bundleWithDefaultServiceAccount},
879+
out: out{
880+
steps: [][]*v1alpha1.Step{
881+
withoutResourceKind("ServiceAccount", bundleSteps(bundleWithDefaultServiceAccount, namespace, "", catalog)),
882+
},
883+
subs: []*v1alpha1.Subscription{
884+
updatedSub(namespace, "a.v1", "", "a", "alpha", catalog),
885+
},
886+
},
887+
},
860888
}
861889
for _, tt := range tests {
862890
t.Run(tt.name, func(t *testing.T) {
@@ -1028,6 +1056,18 @@ func bundleSteps(bundle *api.Bundle, ns, replaces string, catalog registry.Catal
10281056
return steps
10291057
}
10301058

1059+
func withoutResourceKind(kind string, steps []*v1alpha1.Step) []*v1alpha1.Step {
1060+
filtered := make([]*v1alpha1.Step, 0)
1061+
1062+
for i, s := range steps {
1063+
if s.Resource.Kind != kind {
1064+
filtered = append(filtered, steps[i])
1065+
}
1066+
}
1067+
1068+
return filtered
1069+
}
1070+
10311071
func subSteps(namespace, operatorName, pkgName, channelName string, catalog registry.CatalogKey) []*v1alpha1.Step {
10321072
sub := &v1alpha1.Subscription{
10331073
ObjectMeta: metav1.ObjectMeta{

pkg/controller/registry/resolver/steps.go

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -190,11 +190,13 @@ func NewServiceAccountStepResources(csv *v1alpha1.ClusterServiceVersion, catalog
190190
}
191191

192192
for _, perms := range operatorPermissions {
193-
step, err := NewStepResourceFromObject(perms.ServiceAccount, catalogSourceName, catalogSourceNamespace)
194-
if err != nil {
195-
return nil, err
193+
if perms.ServiceAccount.Name != "default" {
194+
step, err := NewStepResourceFromObject(perms.ServiceAccount, catalogSourceName, catalogSourceNamespace)
195+
if err != nil {
196+
return nil, err
197+
}
198+
rbacSteps = append(rbacSteps, step)
196199
}
197-
rbacSteps = append(rbacSteps, step)
198200
for _, role := range perms.Roles {
199201
step, err := NewStepResourceFromObject(role, catalogSourceName, catalogSourceNamespace)
200202
if err != nil {

0 commit comments

Comments
 (0)