Optional support for custom default service account

Signed-off-by: Mikkel Oscar Lyderik Larsen <[email protected]>

cluster/config-defaults.yaml

@@ -537,6 +537,10 @@ teapot_admission_controller_crd_role_provisioning_allowed_api_groups: "flink.k8s
 teapot_admission_controller_topology_spread: optin
 teapot_admission_controller_topology_spread_timeout: 7m
 
+# Inject custom default service account to identify client pods using default SA
+# to read from the Kubernetes API.
+teapot_admission_controller_custom_default_service_account: "false"
+
 
 # Enable and configure runtime-policy annotation
 {{if eq .Cluster.Environment "production"}}

cluster/manifests/01-admission-control/config.yaml

@@ -52,6 +52,10 @@ data:
   podfactory.base-image-check.namespaces: "{{ .Cluster.ConfigItems.teapot_admission_controller_validate_base_images_namespaces }}"
 {{- end }}
 
+{{- if eq .Cluster.ConfigItems.teapot_admission_controller_custom_default_service_account "true"}}
+  podfactory.custom-default-service-account.enable: "true"
+{{- end }}
+
   # This setting enables and disables the container image compliance checks
   pod.image-check.enable: "{{ .Cluster.ConfigItems.teapot_admission_controller_validate_pod_images }}"
 

cluster/node-pools/master-default/userdata.yaml

@@ -205,7 +205,8 @@ write_files:
             limits:
               memory: {{ .Values.InstanceInfo.MemoryFraction (parseInt64 .Cluster.ConfigItems.apiserver_memory_limit_percent)}}
 {{- end }}
-        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-178
+        # - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/production_namespace/teapot/admission-controller:master-178
+        - image: 926694233939.dkr.ecr.eu-central-1.amazonaws.com/staging_namespace/teapot/admission-controller:pr-202-4
           name: admission-controller
           lifecycle:
             preStop: