Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: don't mount SA token when automountServiceAccountToken: false. Fixes #12848 #13820

Merged
merged 1 commit into from
Oct 27, 2024
Merged

fix: don't mount SA token when automountServiceAccountToken: false. Fixes #12848 #13820

merged 1 commit into from
Oct 27, 2024

Conversation

MinyiZ
Copy link
Contributor

@MinyiZ MinyiZ commented Oct 26, 2024
edited by agilgur5
Loading

Fixes #12848

Motivation

#10945 introduced a regression as it is mounting a serviceaccount token on the main container when automountServiceAccountToken: false.

The security docs say

The main container will have the service account token mounted, allowing the main container to patch pods (among other permissions). Set automountServiceAccountToken to false to prevent this.

#10937 was not a bug. It is possible to explicitly mount a token to container and script template workflows even if automountServiceAccountToken: false so the code change was not needed.

Modifications

Verification

Tests passed

@MinyiZ MinyiZ force-pushed the fix-duplicate-sa-mount branch 2 times, most recently from 59d99a6 to 05609d7 Compare October 26, 2024 13:11
@agilgur5 agilgur5 changed the title fix: resource template etting duplicate exec-sa-token volume mounts with automountServiceAccountToken: false. Fixes #12848 fix: don't mount SA token when automountServiceAccountToken: false. Fixes #12848 Oct 26, 2024
agilgur5
agilgur5 reviewed Oct 26, 2024
View reviewed changes
Copy link

@agilgur5 agilgur5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Regarding the tests here and from #10945, a resource template should correctly fail if automountServiceAccountToken: false since, well, there is no SA token for it to use

@agilgur5 agilgur5 added area/controller Controller issues, panics area/executor labels Oct 26, 2024
@agilgur5 agilgur5 added this to the v3.5.x patches milestone Oct 26, 2024
@MinyiZ MinyiZ force-pushed the fix-duplicate-sa-mount branch from 05609d7 to 6c8400a Compare October 26, 2024 20:33
@MinyiZ MinyiZ changed the title fix: don't mount SA token when automountServiceAccountToken: false. Fixes #12848 fix: resource template getting duplicate exec-sa-token volume mounts with automountServiceAccountToken: false. Fixes #12848 Oct 26, 2024
@MinyiZ
Copy link
Contributor Author

MinyiZ commented Oct 26, 2024
edited by agilgur5
Loading

Regarding the tests here and from #10945, a resource template should correctly fail if automountServiceAccountToken: false since, well, there is no SA token for it to use

I've fixed the tests from #10945 to demonstrate that it is possible to explicitly mount a token to container and script template workflows even if automountServiceAccountToken: false so the code change was not needed.

I believe resource templates shouldn't fail if automountServiceAccountToken: false because the exec token is mounted at

argo-workflows/workflow/controller/operator.go

Line 3453 in 25bbb71

mainCtr := woc.newExecContainer(common.MainContainerName, tmpl)
and I've added an e2e test to demonstrate that.

@MinyiZ MinyiZ force-pushed the fix-duplicate-sa-mount branch from 6c8400a to 6de843d Compare October 26, 2024 21:59
@MinyiZ MinyiZ marked this pull request as ready for review October 26, 2024 22:32
@agilgur5
Copy link

agilgur5 commented Oct 27, 2024
edited
Loading

I believe resource templates shouldn't fail if automountServiceAccountToken: false because the exec token is mounted at

Ah nice, I wasn't sure if resource templates handled executor.serviceAccountName since they use a main container.

I've fixed the tests from #10945 to demonstrate that it is possible to explicitly mount a token to container and script template workflows even if automountServiceAccountToken: false so the code change was not needed.

I saw that, but I don't think that test is very functional / necessary. Basically you're manually mounting the token instead of automounting it. A user shouldn't really ever do that manually though, they should just automount. That is also testing k8s behavior rather than Argo behavior at that point.
I think both those tests should just be removed.

agilgur5 changed the title fix: resource template etting duplicate exec-sa-token volume mounts with automountServiceAccountToken: false. Fixes #12848 fix: don't mount SA token when automountServiceAccountToken: false. Fixes #12848 12 hours ago

MinyiZ changed the title fix: don't mount SA token when automountServiceAccountToken: false. Fixes #12848 fix: resource template getting duplicate exec-sa-token volume mounts with automountServiceAccountToken: false. Fixes #12848 5 hours ago

Regarding the PR title, my change was intentional. The PR title should summarize what the PR does, not what the issue is. The PR title and issue title should not be equivalent, as they are now.
The actual source code change is not specific to resource templates either, as the code path does not check for a resource template, which is why I did not label it as such

@MinyiZ MinyiZ changed the title fix: resource template getting duplicate exec-sa-token volume mounts with automountServiceAccountToken: false. Fixes #12848 fix: don't mount SA token when automountServiceAccountToken: false. Fixes #12848 Oct 27, 2024
fix: resource template getting duplicate exec-sa-token volume mounts …
fbebb72 
…with automountServiceAccountToken: false. Fixes argoproj#12848

Signed-off-by: Minyi Zhong <[email protected]>
@MinyiZ MinyiZ force-pushed the fix-duplicate-sa-mount branch from 6de843d to fbebb72 Compare October 27, 2024 06:42
@MinyiZ
Copy link
Contributor Author

MinyiZ commented Oct 27, 2024
edited
Loading

I think both those tests should just be removed.

Yep agreed. Done.

Regarding the PR title, my change was intentional.

Ooops sorry about that. I unintentionally reverted your change when I was fixing up a typo. I've changed it back now.

@agilgur5 agilgur5 changed the title fix: don't mount SA token when automountServiceAccountToken: false. Fixes #12848 fix: don't mount SA token when automountServiceAccountToken: false. Fixes #12848 Oct 27, 2024
agilgur5
agilgur5 approved these changes Oct 27, 2024
View reviewed changes
Copy link

@agilgur5 agilgur5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for taking a look and fixing this!

@agilgur5 agilgur5 enabled auto-merge (squash) October 27, 2024 06:50
@agilgur5 agilgur5 merged commit 3dfea6d into argoproj:main Oct 27, 2024
31 checks passed
@isubasinghe isubasinghe mentioned this pull request Oct 30, 2024
Open
isubasinghe pushed a commit that referenced this pull request Oct 30, 2024
@MinyiZ @isubasinghe
fix: don't mount SA token when automountServiceAccountToken: false. F…
43dccde 
…ixes #12848 (#13820)

Signed-off-by: Minyi Zhong <[email protected]>
Co-authored-by: Minyi Zhong <[email protected]>
isubasinghe pushed a commit that referenced this pull request Oct 30, 2024
@MinyiZ @isubasinghe
fix: don't mount SA token when automountServiceAccountToken: false. F…
70c58a6 
…ixes #12848 (#13820)

Signed-off-by: Minyi Zhong <[email protected]>
Co-authored-by: Minyi Zhong <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@agilgur5 agilgur5 agilgur5 approved these changes

Assignees
No one assigned
Labels
area/controller Controller issues, panics area/executor
Projects
None yet
Milestone
v3.5.x patches
Development

Successfully merging this pull request may close these issues.

resource template getting duplicate exec-sa-token volume mounts with automountServiceAccountToken: false
2 participants
@MinyiZ @agilgur5