Canonical Juju

Can't create extra service accounts with pod spec set v2

Bug #1847125 reported by Kenneth Koski on 2019-10-07

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Fix Released	High	Yang Kelvin Liu	Canonical Juju 2.7-beta1

Bug Description

I would like to set up a service that requires both a service account for itself, as well as a service account for the pods that it creates to run in. These service accounts need different permissions (so that the pods that are created by the service can't in turn create more pods themselves). As an example, the `pipelines-api` service needs both a service account / binding for itself:

https://github.com/kubeflow/manifests/blob/88ff544/pipeline/api-service/base/service-account.yaml

As well as a service account / binding for the pods that it creates while running a pipeline:

https://github.com/kubeflow/manifests/blob/88ff544/pipeline/pipelines-runner/base/service-account.yaml

Revision history for this message

Yang Kelvin Liu (kelvin.liu) wrote on 2019-10-10:

https://github.com/juju/juju/pull/10716 introduce this feature and will be in edge shortly.

Changed in juju:
status:	New → Triaged
status:	Triaged → In Progress
status:	In Progress → Fix Committed
assignee:	nobody → Yang Kelvin Liu (kelvin.liu)
milestone:	none → 2.7-beta1

Yang Kelvin Liu (kelvin.liu) on 2019-10-10

Changed in juju:
status:	Fix Committed → In Progress

Revision history for this message

Kenneth Koski (knkski) wrote on 2019-10-11:

As far as bikeshedding around exact syntax, this is the sort of syntax that I would go for, as a consumer of pod spec set:

roles:
  pod:
    bindings: ["foo"] # Creates a RoleBinding
    globalBindings: ["bar"] # Creates a ClusterRoleBinding
    rules: # Creates a Role and RoleBinding
      - apiGroups: [""]
        resources: ["pods"]
        verbs: ["get"]
    globalRules: # Creates a ClusterRole and ClusterRoleBinding
      - apiGroups: [""]
        resources: ["pods"]
        verbs: ["get"]
  extra:
  - name: secondary-sa
    bindings: ["foo"]
    rules:
      - apiGroups: [""]
        resources: ["pods"]
        verbs: ["get"]

A few reasons for the why of the naming:
- serviceAccount is Kubernetes-specific naming that might be confusing on another CaaS, but `roles` is abstract enough to work on another CaaS (or even clouds like AWS), but still gets the point across
- "clusterRoleNames" is confusing due to Juju not currently supporting binding to ClusterRoles, only Roles. It's also K8s-specific naming, whereas `bindings` is generic enough that it should work in other CaaS systems (and even makes sense in non-CaaS systems)

Revision history for this message

Yang Kelvin Liu (kelvin.liu) wrote on 2019-10-18:

https://github.com/juju/juju/pull/10739 is landed to 2.7 to enable cluster role and cluster role binding.

Changed in juju:
status:	In Progress → Fix Committed

Yang Kelvin Liu (kelvin.liu) on 2019-11-28

Changed in juju:
importance:	Undecided → High

Anastasia (anastasia-macmood) on 2019-12-09

Changed in juju:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.