fix: for bounded service account token

michaellee8 · michaellee8 · commit a978940a74f7 · 2022-08-12T11:14:29.000+08:00
diff --git a/pkg/controller/vitessbackupstorage/reconcile_subcontroller.go b/pkg/controller/vitessbackupstorage/reconcile_subcontroller.go
@@ -136,6 +136,11 @@ func (r *ReconcileVitessBackupStorage) newSubcontrollerPodSpec(ctx context.Conte
 		if strings.HasPrefix(volume.Name, tokenNamePrefix) {
 			continue
 		}
+		// also skip volumes mounted by k8s v1.21+ BoundedServiceAccountToken
+		// https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-bound-service-account-tokens
+		if strings.HasPrefix(volume.Name, "kube-api-access-") {
+			continue
+		}
 		newVolumes = append(newVolumes, volume)
 	}
 	spec.Volumes = newVolumes
@@ -149,6 +154,11 @@ func (r *ReconcileVitessBackupStorage) newSubcontrollerPodSpec(ctx context.Conte
 			if strings.HasPrefix(mount.Name, tokenNamePrefix) {
 				continue
 			}
+			// also skip volumes mounted by k8s v1.21+ BoundedServiceAccountToken
+			// https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-bound-service-account-tokens
+			if strings.HasPrefix(mount.Name, "kube-api-access-") {
+				continue
+			}
 			newMounts = append(newMounts, mount)
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -136,6 +136,11 @@ func (r *ReconcileVitessBackupStorage) newSubcontrollerPodSpec(ctx context.Conte`
`136`	`136`	`if strings.HasPrefix(volume.Name, tokenNamePrefix) {`
`137`	`137`	`continue`
`138`	`138`	`}`
	`139`	`+ // also skip volumes mounted by k8s v1.21+ BoundedServiceAccountToken`
	`140`	`+ // https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-bound-service-account-tokens`
	`141`	`+ if strings.HasPrefix(volume.Name, "kube-api-access-") {`
	`142`	`+ continue`
	`143`	`+ }`
`139`	`144`	`newVolumes = append(newVolumes, volume)`
`140`	`145`	`}`
`141`	`146`	`spec.Volumes = newVolumes`
`@@ -149,6 +154,11 @@ func (r *ReconcileVitessBackupStorage) newSubcontrollerPodSpec(ctx context.Conte`
`149`	`154`	`if strings.HasPrefix(mount.Name, tokenNamePrefix) {`
`150`	`155`	`continue`
`151`	`156`	`}`
	`157`	`+ // also skip volumes mounted by k8s v1.21+ BoundedServiceAccountToken`
	`158`	`+ // https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-bound-service-account-tokens`
	`159`	`+ if strings.HasPrefix(mount.Name, "kube-api-access-") {`
	`160`	`+ continue`
	`161`	`+ }`
`152`	`162`	`newMounts = append(newMounts, mount)`
`153`	`163`	`}`
`154`	`164`