feat: use one ServiceAccount per module (#3578)

Per deployment is to granular for our security use cases.
TBD54566975 · Dec 3, 2024 · c8a191b · c8a191b
1 parent 682b4bf
commit c8a191b
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -29,6 +29,7 @@ ENV PATH="$PATH:/root"
 # Service-specific configurations
 EXPOSE 8891
 EXPOSE 8892
+EXPOSE 8893
 
 # Environment variables for all (most) services
 ENV FTL_ENDPOINT="http://host.docker.internal:8892"

diff --git a/backend/provisioner/runner_scaling_provisioner.go b/backend/provisioner/runner_scaling_provisioner.go
@@ -50,6 +50,7 @@ func provisionRunner(scaling scaling.RunnerScaling, client ftlv1connect.Controll
 		logger.Debugf("provisioning runner: %s.%s for deployment %s", module, id, deployment)
 		err = scaling.StartDeployment(ctx, module, deployment, schema)
 		if err != nil {
+			logger.Infof("failed to start deployment: %v", err)
 			return nil, fmt.Errorf("failed to start deployment: %w", err)
 		}
 		endpoint, err := scaling.GetEndpointForDeployment(ctx, module, deployment)

diff --git a/backend/provisioner/scaling/k8sscaling/k8s_scaling.go b/backend/provisioner/scaling/k8sscaling/k8s_scaling.go
@@ -322,8 +322,9 @@ func (r *k8sScaling) handleNewDeployment(ctx context.Context, module string, nam
 	// Now create a ServiceAccount, we mostly need this for Istio but we create it for all deployments
 	// To keep things consistent
 	serviceAccountClient := r.client.CoreV1().ServiceAccounts(r.namespace)
-	serviceAccount, err := serviceAccountClient.Get(ctx, name, v1.GetOptions{})
+	serviceAccount, err := serviceAccountClient.Get(ctx, module, v1.GetOptions{})
 	if err != nil {
+		//TODO: implement cleanup for Service Accounts of modules that are completly removed
 		if !errors.IsNotFound(err) {
 			return fmt.Errorf("failed to get service account %s: %w", name, err)
 		}
@@ -332,9 +333,11 @@ func (r *k8sScaling) handleNewDeployment(ctx context.Context, module string, nam
 		if err != nil {
 			return fmt.Errorf("failed to decode service account from configMap %s: %w", configMapName, err)
 		}
-		serviceAccount.Name = name
-		serviceAccount.OwnerReferences = []v1.OwnerReference{{APIVersion: "v1", Kind: "service", Name: name, UID: service.UID}}
-		addLabels(&serviceAccount.ObjectMeta, module, name)
+		serviceAccount.Name = module
+		if serviceAccount.Labels == nil {
+			serviceAccount.Labels = map[string]string{}
+		}
+		serviceAccount.Labels[moduleLabel] = module
 		_, err = serviceAccountClient.Create(ctx, serviceAccount, v1.CreateOptions{})
 		if err != nil {
 			return fmt.Errorf("failed to create service account%s: %w", name, err)
@@ -403,7 +406,7 @@ func (r *k8sScaling) handleNewDeployment(ctx context.Context, module string, nam
 		deployment.Spec.Template.ObjectMeta.Labels = map[string]string{}
 	}
 
-	deployment.Spec.Template.Spec.ServiceAccountName = name
+	deployment.Spec.Template.Spec.ServiceAccountName = module
 	changes, err := r.syncDeployment(ctx, thisImage, deployment, 1)
 
 	if err != nil {