kustomize: use separate ServiceAccount for Quay app pods (PROJQUAY-1909)

The Quay app pods will use their own ServiceAccount, rather than the default one in the namespace. This allows modifying permissions using SecurityContextConstraints without affecting other pods in the namespace. Signed-off-by: Alec Merdler <[email protected]>
quay · Apr 20, 2021 · 8f3df20 · 8f3df20
1 parent 007de38
commit 8f3df20
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 0 deletions.
diff --git a/kustomize/base/quay.deployment.yaml b/kustomize/base/quay.deployment.yaml
@@ -14,6 +14,7 @@ spec:
       labels:
         quay-component: quay-app
     spec:
+      serviceAccountName: quay-app
       volumes:
         - name: configvolume
           secret:

diff --git a/kustomize/base/quay.serviceaccount.yaml b/kustomize/base/quay.serviceaccount.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: quay-app
diff --git a/pkg/kustomize/kustomize_test.go b/pkg/kustomize/kustomize_test.go
@@ -216,6 +216,7 @@ var quayComponents = map[string][]client.Object{
 		&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "cluster-service-ca"}},
 		&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "quay-config-editor-credentials"}},
 		&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "quay-registry-managed-secret-keys"}},
+		&corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "quay-app"}},
 	},
 	"clair": {
 		&corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "clair-config-secret"}},