redhat-developer
WIP set service account for dev container via component attributes
Signed-off-by: Vinny Sabatini [email protected]
What type of PR is this:
/kind feature
What does this PR do / why we need it:
Allow users to specify what Kubernetes service account the pod should run as for an odo dev session.
This is generally useful if you want your workload to have additional permissions within a Kubernetes cluster
and you do not want to grant additional access to the default service account.
If the attribute is not set, the default service account will be used.
Which issue(s) this PR fixes:
Fixes #5977
PR acceptance criteria:
-
[ ] Unit test
-
[ ] Integration test
-
[ ] Documentation
How to test changes / Special notes to the reviewer:
- In your Kubernetes cluster, create a service account
- In your devfile, set
.components.attributes.serviceAccountNamefor your container component to the name of the service account you createdcomponents: - attributes: serviceAccountName: my-service-account container: dedicatedPod: false endpoints: - name: http secure: false targetPort: 8080 image: quay.io/devfile/golang:latest memoryLimit: 1024Mi mountSources: true name: runtime - Start
odo dev - Check
.spec.template.spec.serviceAccountNameon the deployment, or.spec.serviceAccountNameof the running pod
Hi @vinny-sabatini. Thanks for your PR.
I'm waiting for a redhat-developer member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.
Once the patch is verified, the new status will be reflected by the ok-to-test label.
I understand the commands that are listed here.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
Deploy Preview for odo-docusaurus-preview ready!
| Name | Link |
|---|---|
| Latest commit | 63e11ca8d81b57c9289dde44eda605d5890daef0 |
| Latest deploy log | https://app.netlify.com/sites/odo-docusaurus-preview/deploys/631b999e361db200086d25a8 |
| Deploy Preview | https://deploy-preview-6111--odo-docusaurus-preview.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
To edit notification comments on pull requests, go to your Netlify site settings.
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
Kudos, SonarCloud Quality Gate passed! 
0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells
No Coverage information
0.0% Duplication
![sonarqubecloud[bot] avatar](https://avatars.githubusercontent.com/in/12526?v=4 "Published by a pub.dev verified publisher"){kind=small}
[APPROVALNOTIFIER] This PR is NOT APPROVED
This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kadel for approval by writing /assign @kadel in a comment. For more information see:The Kubernetes Code Review Process.
The full list of commands accepted by this bot can be found here.
Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment
![odo-robot[bot] avatar](https://avatars.githubusercontent.com/in/158946?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi @vinny-sabatini, earlier this week, there was a discussion on one of the devfile issues. And the solution that was proposed there would also address the "ServiceAccount" issue as well but in a more generic way.
You can see what is being proposed here https://github.com/devfile/api/issues/920#issuecomment-1244059075
@kadel thanks for the info! That solution looks much more flexible than trying to key every single customization and overloading the devfile API spec. I can work on updating this PR to follow the convention mentioned in that issue
@vinny-sabatini: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:
| Test name | Commit | Details | Required | Rerun command |
|---|---|---|---|---|
| ci/prow/v4.10-integration-e2e | 63e11ca8d81b57c9289dde44eda605d5890daef0 | link | true | /test v4.10-integration-e2e |
| ci/prow/v4.11-integration-e2e | 63e11ca8d81b57c9289dde44eda605d5890daef0 | link | true | /test v4.11-integration-e2e |
Full PR test history. Your PR dashboard.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.
@kadel thanks for the info! That solution looks much more flexible than trying to key every single customization and overloading the devfile API spec. I can work on updating this PR to follow the convention mentioned in that issue
odo uses devfile/library for generating k8s resources from devfile. I think that this logic should be implemented in the devfile/library. There is a set of functions in the generator package that odo uses. Those functions should be updated to use the information from the annotations.
This was done in https://github.com/redhat-developer/odo/pull/6512 Closing this PR