odo icon indicating copy to clipboard operation
odo copied to clipboard

Published 20 hours ago verified publisher icon redhat-developer

Ability to specify ServiceAccount for `odo dev`

Open vinny-sabatini opened this issue 2 years ago • 4 comments

/kind feature

Which functionality do you think we should add?

When running the odo dev command, I would like to be able to specify the Kubernetes ServiceAccount the pod should run as.

Why is this needed?

Currently, if you use odo dev the pod will start as the default service account. Some workloads running on Kubernetes need to run as a specific service account in order to have the proper permissions to work properly. One common use case is a Kubernetes Operator.

vinny-sabatini avatar Jul 26 '22 15:07 vinny-sabatini

Notes from the discussion on this in the odo contributors' call:

  1. This should ideally be addressed at Devfile API level such that a container component has a serviceAccount attribute.
  2. In absence of 1, odo can use annotations field in container component so that a service account specified in this field is used by odo to set proper information inside the Pod created for such component.

dharmit avatar Aug 01 '22 13:08 dharmit

As part of this Sprint, the team will be investigating how to implement pod-overrides and container-overrides annotations in the Devfile library (as a more generic way that would allow us to support user-defined ServiceAccounts), as discussed in https://github.com/devfile/api/issues/920#issuecomment-1244059075. Then on the odo side, it would "just" be a matter of updating the Devfile library version.

Related issue: https://github.com/devfile/api/issues/936

To better estimate the work that needs to be done, we are investigating if there exists some library that could help with merging JSON data.

/assign @feloy

rm3l avatar Sep 21 '22 13:09 rm3l

The gojq (github.com/itchyny/gojq) can be used:

package main

import (
	"errors"
	"fmt"

	"github.com/itchyny/gojq"
	corev1 "k8s.io/api/core/v1"
	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/utils/pointer"
)

func main() {
	pod := corev1.Pod{
		Spec: corev1.PodSpec{
			SecurityContext: &corev1.PodSecurityContext{
				RunAsUser: pointer.Int64(1001),
			},
		},
	}

	unstructuredPod, err := ConvertResourceToUnstructured(&pod)
	if err != nil {
		panic(err)
	}

	query, err := gojq.Parse(".spec.securityContext = {\"runAsUser\": 1000, \"runAsGroup\": 3000, \"fsGroup\": 2000}")
	if err != nil {
		panic(err)
	}
	iter := query.Run(unstructuredPod)
	v, ok := iter.Next()
	if !ok {
		panic(errors.New("error"))
	}

	json := v.(map[string]interface{})
	ConvertUnstructuredToResource(unstructured.Unstructured{Object: json}, &pod)

	fmt.Printf("%v\n", pod)
}

func ConvertUnstructuredToResource(u unstructured.Unstructured, obj interface{}) error {
	return runtime.DefaultUnstructuredConverter.FromUnstructured(u.UnstructuredContent(), obj)
}

func ConvertResourceToUnstructured(obj interface{}) (map[string]interface{}, error) {
	return runtime.DefaultUnstructuredConverter.ToUnstructured(obj)
}

feloy avatar Sep 21 '22 15:09 feloy

https://github.com/devfile/api/blob/fe7c10eaa530b12b19cfb0e22e221e753391304c/pkg/attributes/attributes.go#L14

dharmit avatar Oct 10 '22 13:10 dharmit

I've opened https://github.com/devfile/library/pull/155 for container-overrides part.

dharmit avatar Nov 17 '22 12:11 dharmit

TODO (as of Nov-23, 2022):

  • [ ] Continue work on container-overrides PR above: https://github.com/devfile/library/pull/155
  • [ ] PR for supporting pod-overrides

rm3l avatar Nov 24 '22 09:11 rm3l