Skip to content

Commit ebec0e7

Browse files
openshift-merge-robotopenshift-merge-robot
authored
Merge pull request #1863 from jeloba/dont-create-default-service-accounts
Don't create default ServiceAccounts
2 parents 39463ca + b35030a commit ebec0e7

File tree

2 files changed

+46
-4
lines changed

2 files changed

+46
-4
lines changed

pkg/controller/registry/resolver/step_resolver_test.go

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -839,6 +839,19 @@ func TestNamespaceResolverRBAC(t *testing.T) {
839839
},
840840
}
841841
bundle := bundleWithPermissions("a.v1", "a", "alpha", "", nil, nil, nil, nil, simplePermissions, simplePermissions)
842+
defaultServiceAccountPermissions := []v1alpha1.StrategyDeploymentPermissions{
843+
{
844+
ServiceAccountName: "default",
845+
Rules: []rbacv1.PolicyRule{
846+
{
847+
Verbs: []string{"get", "list"},
848+
APIGroups: []string{""},
849+
Resources: []string{"configmaps"},
850+
},
851+
},
852+
},
853+
}
854+
bundleWithDefaultServiceAccount := bundleWithPermissions("a.v1", "a", "alpha", "", nil, nil, nil, nil, defaultServiceAccountPermissions, defaultServiceAccountPermissions)
842855
type out struct {
843856
steps [][]*v1alpha1.Step
844857
subs []*v1alpha1.Subscription
@@ -865,6 +878,21 @@ func TestNamespaceResolverRBAC(t *testing.T) {
865878
},
866879
},
867880
},
881+
{
882+
name: "don't create default service accounts",
883+
clusterState: []runtime.Object{
884+
newSub(namespace, "a", "alpha", catalog),
885+
},
886+
bundlesInCatalog: []*api.Bundle{bundleWithDefaultServiceAccount},
887+
out: out{
888+
steps: [][]*v1alpha1.Step{
889+
withoutResourceKind("ServiceAccount", bundleSteps(bundleWithDefaultServiceAccount, namespace, "", catalog)),
890+
},
891+
subs: []*v1alpha1.Subscription{
892+
updatedSub(namespace, "a.v1", "", "a", "alpha", catalog),
893+
},
894+
},
895+
},
868896
}
869897
for _, tt := range tests {
870898
t.Run(tt.name, func(t *testing.T) {
@@ -1036,6 +1064,18 @@ func bundleSteps(bundle *api.Bundle, ns, replaces string, catalog registry.Catal
10361064
return steps
10371065
}
10381066

1067+
func withoutResourceKind(kind string, steps []*v1alpha1.Step) []*v1alpha1.Step {
1068+
filtered := make([]*v1alpha1.Step, 0)
1069+
1070+
for i, s := range steps {
1071+
if s.Resource.Kind != kind {
1072+
filtered = append(filtered, steps[i])
1073+
}
1074+
}
1075+
1076+
return filtered
1077+
}
1078+
10391079
func subSteps(namespace, operatorName, pkgName, channelName string, catalog registry.CatalogKey) []*v1alpha1.Step {
10401080
sub := &v1alpha1.Subscription{
10411081
ObjectMeta: metav1.ObjectMeta{

pkg/controller/registry/resolver/steps.go

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -190,11 +190,13 @@ func NewServiceAccountStepResources(csv *v1alpha1.ClusterServiceVersion, catalog
190190
}
191191

192192
for _, perms := range operatorPermissions {
193-
step, err := NewStepResourceFromObject(perms.ServiceAccount, catalogSourceName, catalogSourceNamespace)
194-
if err != nil {
195-
return nil, err
193+
if perms.ServiceAccount.Name != "default" {
194+
step, err := NewStepResourceFromObject(perms.ServiceAccount, catalogSourceName, catalogSourceNamespace)
195+
if err != nil {
196+
return nil, err
197+
}
198+
rbacSteps = append(rbacSteps, step)
196199
}
197-
rbacSteps = append(rbacSteps, step)
198200
for _, role := range perms.Roles {
199201
step, err := NewStepResourceFromObject(role, catalogSourceName, catalogSourceNamespace)
200202
if err != nil {

0 commit comments

Comments
 (0)