diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.dump-values.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.dump-values.yaml index 8c7db5e0833d..a3fda3d970a8 100644 --- a/app/kumactl/cmd/install/testdata/install-control-plane.dump-values.yaml +++ b/app/kumactl/cmd/install/testdata/install-control-plane.dump-values.yaml @@ -498,7 +498,12 @@ ingress: # -- Security context at the container level for ingress containerSecurityContext: - readOnlyRootFilesystem: true + readOnlyRootFilesystem: true + + # -- Annotations to add for Control Plane's Service Account + serviceAccountAnnotations: { } + # -- Whether to automountServiceAccountToken for cp. Optionally set to false + automountServiceAccountToken: true egress: # -- If true, it deploys Egress for cross cluster communication @@ -602,7 +607,12 @@ egress: # -- Security context at the container level for egress containerSecurityContext: - readOnlyRootFilesystem: true + readOnlyRootFilesystem: true + + # -- Annotations to add for Control Plane's Service Account + serviceAccountAnnotations: { } + # -- Whether to automountServiceAccountToken for cp. Optionally set to false + automountServiceAccountToken: true kumactl: image: diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.with-egress.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.with-egress.golden.yaml index a599999d9ef1..75bb06610192 100644 --- a/app/kumactl/cmd/install/testdata/install-control-plane.with-egress.golden.yaml +++ b/app/kumactl/cmd/install/testdata/install-control-plane.with-egress.golden.yaml @@ -573,6 +573,7 @@ spec: runAsNonRoot: true runAsUser: 5678 serviceAccountName: kuma-egress + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml index 99fd26c8198d..1503561f5a67 100644 --- a/app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml +++ b/app/kumactl/cmd/install/testdata/install-control-plane.with-helm-set.yaml @@ -6659,6 +6659,7 @@ spec: runAsNonRoot: true runAsUser: 5678 serviceAccountName: kuma-egress + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux @@ -6789,6 +6790,7 @@ spec: runAsNonRoot: true runAsUser: 5678 serviceAccountName: kuma-ingress + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux diff --git a/app/kumactl/cmd/install/testdata/install-control-plane.with-ingress.golden.yaml b/app/kumactl/cmd/install/testdata/install-control-plane.with-ingress.golden.yaml index 239624f78648..bf95bf27e8f5 100644 --- a/app/kumactl/cmd/install/testdata/install-control-plane.with-ingress.golden.yaml +++ b/app/kumactl/cmd/install/testdata/install-control-plane.with-ingress.golden.yaml @@ -577,6 +577,7 @@ spec: runAsNonRoot: true runAsUser: 5678 serviceAccountName: kuma-ingress + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/fix4496.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/fix4496.golden.yaml index 6a56e50e027a..7d094c5f342e 100644 --- a/app/kumactl/cmd/install/testdata/install-cp-helm/fix4496.golden.yaml +++ b/app/kumactl/cmd/install/testdata/install-cp-helm/fix4496.golden.yaml @@ -590,6 +590,7 @@ spec: runAsNonRoot: true runAsUser: 5678 serviceAccountName: kuma-ingress + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/fix4935.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/fix4935.golden.yaml index c60feb9fb8c8..ffa788c05aee 100644 --- a/app/kumactl/cmd/install/testdata/install-cp-helm/fix4935.golden.yaml +++ b/app/kumactl/cmd/install/testdata/install-cp-helm/fix4935.golden.yaml @@ -839,6 +839,7 @@ spec: runAsNonRoot: true runAsUser: 5678 serviceAccountName: kuma-egress + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux @@ -972,6 +973,7 @@ spec: runAsNonRoot: true runAsUser: 5678 serviceAccountName: kuma-ingress + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/fix5978.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/fix5978.golden.yaml index fbad3bd2376f..b026f493857b 100644 --- a/app/kumactl/cmd/install/testdata/install-cp-helm/fix5978.golden.yaml +++ b/app/kumactl/cmd/install/testdata/install-cp-helm/fix5978.golden.yaml @@ -611,6 +611,7 @@ spec: runAsNonRoot: true runAsUser: 5678 serviceAccountName: kuma-egress + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux @@ -741,6 +742,7 @@ spec: runAsNonRoot: true runAsUser: 5678 serviceAccountName: kuma-ingress + automountServiceAccountToken: true nodeSelector: kubernetes.io/os: linux diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/fix7824.golden.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/fix7824.golden.yaml new file mode 100644 index 000000000000..6d7881657fb4 --- /dev/null +++ b/app/kumactl/cmd/install/testdata/install-cp-helm/fix7824.golden.yaml @@ -0,0 +1,1180 @@ + +--- +apiVersion: v1 +kind: Namespace +metadata: + name: kuma-system + labels: + kuma.io/system-namespace: "true" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kuma-control-plane + namespace: kuma-system + labels: + app: kuma-control-plane + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma + annotations: + foo: '{"bar": "cp"}' + ping: cp +imagePullSecrets: + - name: "image-secret" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kuma-egress + namespace: kuma-system + labels: + app: kuma-egress + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma + annotations: + foo: '{"baz": "egress"}' + ping: egress +imagePullSecrets: + - name: "image-secret" +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kuma-ingress + namespace: kuma-system + labels: + app: kuma-ingress + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma + annotations: + foo: '{"baz": "ingress"}' + ping: ingress +imagePullSecrets: + - name: "image-secret" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kuma-control-plane-config + namespace: kuma-system + labels: + app: kuma-control-plane + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +data: + config.yaml: | + # use this file to override default configuration of `kuma-cp` + # + # see conf/kuma-cp.conf.yml for available settings +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kuma-control-plane + labels: + app: kuma-control-plane + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +rules: + - apiGroups: + - "" + resources: + - namespaces + - pods + - configmaps + - nodes + verbs: + - get + - list + - watch + - apiGroups: + - "apps" + resources: + - deployments + - replicasets + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - "batch" + resources: + - jobs + verbs: + - get + - list + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses + - gateways + - referencegrants + - httproutes + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - gateway.networking.k8s.io + resources: + - gatewayclasses/status + - gateways/status + - httproutes/status + verbs: + - get + - patch + - update + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "" + resources: + - services + verbs: + - get + - delete + - list + - watch + - create + - update + - patch + - apiGroups: + - kuma.io + resources: + - dataplanes + - dataplaneinsights + - meshes + - zones + - zoneinsights + - zoneingresses + - zoneingressinsights + - zoneegresses + - zoneegressinsights + - meshinsights + - serviceinsights + - proxytemplates + - ratelimits + - trafficpermissions + - trafficroutes + - timeouts + - retries + - circuitbreakers + - virtualoutbounds + - containerpatches + - externalservices + - faultinjections + - healthchecks + - trafficlogs + - traffictraces + - meshgateways + - meshgatewayroutes + - meshgatewayinstances + - meshaccesslogs + - meshcircuitbreakers + - meshfaultinjections + - meshhealthchecks + - meshhttproutes + - meshloadbalancingstrategies + - meshproxypatches + - meshratelimits + - meshretries + - meshtcproutes + - meshtimeouts + - meshtraces + - meshtrafficpermissions + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - kuma.io + resources: + - meshgatewayinstances/status + - meshgatewayinstances/finalizers + - meshes/finalizers + - dataplanes/finalizers + verbs: + - get + - patch + - update + - apiGroups: + - "" + resources: + - pods/finalizers + verbs: + - get + - patch + - update + # validate k8s token before issuing mTLS cert + - apiGroups: + - authentication.k8s.io + resources: + - tokenreviews + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kuma-control-plane + labels: + app: kuma-control-plane + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kuma-control-plane +subjects: + - kind: ServiceAccount + name: kuma-control-plane + namespace: kuma-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: kuma-control-plane + namespace: kuma-system + labels: + app: kuma-control-plane + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +rules: + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + # leader-for-life election deletes Pods in some circumstances + - apiGroups: + - "" + resources: + - pods + verbs: + - delete +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: kuma-control-plane + namespace: kuma-system + labels: + app: kuma-control-plane + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kuma-control-plane +subjects: + - kind: ServiceAccount + name: kuma-control-plane + namespace: kuma-system +--- +apiVersion: v1 +kind: Service +metadata: + name: kuma-control-plane + namespace: kuma-system + labels: + app: kuma-control-plane + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "5680" +spec: + type: ClusterIP + ports: + - port: 5680 + name: diagnostics + appProtocol: http + - port: 5681 + name: http-api-server + appProtocol: http + - port: 5682 + name: https-api-server + appProtocol: https + - port: 443 + name: https-admission-server + targetPort: 5443 + appProtocol: https + - port: 5676 + name: mads-server + appProtocol: https + - port: 5678 + name: dp-server + appProtocol: https + selector: + app: kuma-control-plane + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +--- +apiVersion: v1 +kind: Service +metadata: + name: kuma-egress + namespace: kuma-system + labels: + app: kuma-egress + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma + annotations: +spec: + type: ClusterIP + ports: + - port: 10002 + protocol: TCP + targetPort: 10002 + selector: + app: kuma-egress + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +--- +apiVersion: v1 +kind: Service +metadata: + name: kuma-ingress + namespace: kuma-system + labels: + app: kuma-ingress + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma + annotations: +spec: + type: LoadBalancer + ports: + - port: 10001 + protocol: TCP + targetPort: 10001 + selector: + app: kuma-ingress + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kuma-control-plane + namespace: kuma-system + labels: + app: kuma-control-plane + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +spec: + replicas: 1 + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + selector: + matchLabels: + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma + app: kuma-control-plane + template: + metadata: + annotations: + checksum/config: fd9d1d8386f97f2bd49e50f476520816168a1c9f60bbc43dec1347a64d239155 + checksum/tls-secrets: 7b6ae860b2e6214ea9bd8283136caf4596a9e217a60e28e709a2e781f9676180 + labels: + app: kuma-control-plane + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - 'kuma' + - key: app.kubernetes.io/instance + operator: In + values: + - 'kuma' + - key: app + operator: In + values: + - 'kuma-control-plane' + topologyKey: kubernetes.io/hostname + weight: 100 + securityContext: + runAsNonRoot: true + serviceAccountName: kuma-control-plane + automountServiceAccountToken: false + nodeSelector: + + kubernetes.io/os: linux + hostNetwork: false + terminationGracePeriodSeconds: 30 + containers: + - name: control-plane + image: "docker.io/kumahq/kuma-cp:0.0.1" + imagePullPolicy: IfNotPresent + securityContext: + readOnlyRootFilesystem: true + env: + - name: KUMA_API_SERVER_AUTHN_LOCALHOST_IS_ADMIN + value: "false" + - name: KUMA_API_SERVER_READ_ONLY + value: "true" + - name: KUMA_DEFAULTS_SKIP_MESH_CREATION + value: "false" + - name: KUMA_DP_SERVER_HDS_ENABLED + value: "false" + - name: KUMA_ENVIRONMENT + value: "kubernetes" + - name: KUMA_GENERAL_TLS_CERT_FILE + value: "/var/run/secrets/kuma.io/tls-cert/tls.crt" + - name: KUMA_GENERAL_TLS_KEY_FILE + value: "/var/run/secrets/kuma.io/tls-cert/tls.key" + - name: KUMA_INJECTOR_INIT_CONTAINER_IMAGE + value: "docker.io/kumahq/kuma-init:0.0.1" + - name: KUMA_MODE + value: "zone" + - name: KUMA_MULTIZONE_ZONE_GLOBAL_ADDRESS + value: "grpcs://foo.com:3456" + - name: KUMA_MULTIZONE_ZONE_NAME + value: "zone-1" + - name: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_CERT_DIR + value: "/var/run/secrets/kuma.io/tls-cert" + - name: KUMA_RUNTIME_KUBERNETES_ADMISSION_SERVER_PORT + value: "5443" + - name: KUMA_RUNTIME_KUBERNETES_CONTROL_PLANE_SERVICE_NAME + value: "kuma-control-plane" + - name: KUMA_RUNTIME_KUBERNETES_INJECTOR_CA_CERT_FILE + value: "/var/run/secrets/kuma.io/tls-cert/ca.crt" + - name: KUMA_RUNTIME_KUBERNETES_INJECTOR_CNI_ENABLED + value: "false" + - name: KUMA_RUNTIME_KUBERNETES_INJECTOR_SIDECAR_CONTAINER_IMAGE + value: "docker.io/kumahq/kuma-dp:0.0.1" + - name: KUMA_RUNTIME_KUBERNETES_SERVICE_ACCOUNT_NAME + value: "system:serviceaccount:kuma-system:kuma-control-plane" + - name: KUMA_STORE_KUBERNETES_SYSTEM_NAMESPACE + value: "kuma-system" + - name: KUMA_STORE_TYPE + value: "kubernetes" + - name: KUMA_INTER_CP_CATALOG_INSTANCE_ADDRESS + valueFrom: + fieldRef: + fieldPath: status.podIP + args: + - run + - --log-level=info + - --log-output-path= + - --config-file=/etc/kuma.io/kuma-control-plane/config.yaml + ports: + - containerPort: 5680 + name: diagnostics + protocol: TCP + - containerPort: 5681 + - containerPort: 5682 + - containerPort: 5443 + - containerPort: 5678 + livenessProbe: + timeoutSeconds: 10 + httpGet: + path: /healthy + port: 5680 + readinessProbe: + timeoutSeconds: 10 + httpGet: + path: /ready + port: 5680 + resources: + limits: + memory: 256Mi + requests: + cpu: 500m + memory: 256Mi + + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: serviceaccount-token + readOnly: true + - name: general-tls-cert + mountPath: /var/run/secrets/kuma.io/tls-cert/tls.crt + subPath: tls.crt + readOnly: true + - name: general-tls-cert + mountPath: /var/run/secrets/kuma.io/tls-cert/tls.key + subPath: tls.key + readOnly: true + - name: general-tls-cert + mountPath: /var/run/secrets/kuma.io/tls-cert/ca.crt + subPath: ca.crt + readOnly: true + - name: kuma-control-plane-config + mountPath: /etc/kuma.io/kuma-control-plane + readOnly: true + - name: tmp + mountPath: /tmp + volumes: + - name: serviceaccount-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3600 + path: token + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: general-tls-cert + secret: + secretName: general-tls-secret + - name: kuma-control-plane-config + configMap: + name: kuma-control-plane-config + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kuma-egress + namespace: kuma-system + labels: + app: kuma-egress + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma + app: kuma-egress + template: + metadata: + annotations: + kuma.io/egress: enabled + labels: + app: kuma-egress + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - 'kuma' + - key: app.kubernetes.io/instance + operator: In + values: + - 'kuma' + - key: app + operator: In + values: + - kuma-egress + topologyKey: kubernetes.io/hostname + weight: 100 + securityContext: + runAsGroup: 5678 + runAsNonRoot: true + runAsUser: 5678 + serviceAccountName: kuma-egress + automountServiceAccountToken: false + nodeSelector: + + kubernetes.io/os: linux + containers: + - name: egress + image: "docker.io/kumahq/kuma-dp:0.0.1" + imagePullPolicy: IfNotPresent + securityContext: + readOnlyRootFilesystem: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUMA_CONTROL_PLANE_URL + value: "https://kuma-control-plane.kuma-system:5678" + - name: KUMA_CONTROL_PLANE_CA_CERT_FILE + value: /var/run/secrets/kuma.io/cp-ca/ca.crt + - name: KUMA_DATAPLANE_NAME + value: $(POD_NAME).$(POD_NAMESPACE) + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 30s + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DATAPLANE_PROXY_TYPE + value: "egress" + args: + - run + - --log-level=info + ports: + - containerPort: 10002 + livenessProbe: + httpGet: + path: "/ready" + port: 9901 + failureThreshold: 12 + initialDelaySeconds: 60 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/ready" + port: 9901 + failureThreshold: 12 + initialDelaySeconds: 1 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + resources: + limits: + cpu: 1000m + memory: 512Mi + requests: + cpu: 50m + memory: 64Mi + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: serviceaccount-token + readOnly: true + - name: control-plane-ca + mountPath: /var/run/secrets/kuma.io/cp-ca + readOnly: true + - name: tmp + mountPath: /tmp + volumes: + - name: serviceaccount-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3600 + path: token + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: control-plane-ca + secret: + secretName: "general-tls-secret" + items: + - key: ca.crt + path: ca.crt + - name: tmp + emptyDir: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kuma-ingress + namespace: kuma-system + labels: + app: kuma-ingress + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +spec: + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma + app: kuma-ingress + template: + metadata: + annotations: + kuma.io/ingress: enabled + labels: + app: kuma-ingress + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - 'kuma' + - key: app.kubernetes.io/instance + operator: In + values: + - 'kuma' + - key: app + operator: In + values: + - kuma-ingress + topologyKey: kubernetes.io/hostname + weight: 100 + securityContext: + runAsGroup: 5678 + runAsNonRoot: true + runAsUser: 5678 + serviceAccountName: kuma-ingress + automountServiceAccountToken: false + nodeSelector: + + kubernetes.io/os: linux + terminationGracePeriodSeconds: 40 + containers: + - name: ingress + image: "docker.io/kumahq/kuma-dp:0.0.1" + imagePullPolicy: IfNotPresent + securityContext: + readOnlyRootFilesystem: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: KUMA_CONTROL_PLANE_URL + value: "https://kuma-control-plane.kuma-system:5678" + - name: KUMA_CONTROL_PLANE_CA_CERT_FILE + value: /var/run/secrets/kuma.io/cp-ca/ca.crt + - name: KUMA_DATAPLANE_NAME + value: $(POD_NAME).$(POD_NAMESPACE) + - name: KUMA_DATAPLANE_DRAIN_TIME + value: 30s + - name: KUMA_DATAPLANE_RUNTIME_TOKEN_PATH + value: /var/run/secrets/kubernetes.io/serviceaccount/token + - name: KUMA_DATAPLANE_PROXY_TYPE + value: "ingress" + args: + - run + - --log-level=info + ports: + - containerPort: 10001 + livenessProbe: + httpGet: + path: "/ready" + port: 9901 + failureThreshold: 12 + initialDelaySeconds: 60 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + readinessProbe: + httpGet: + path: "/ready" + port: 9901 + failureThreshold: 12 + initialDelaySeconds: 1 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 3 + resources: + limits: + cpu: 1000m + memory: 512Mi + requests: + cpu: 50m + memory: 64Mi + + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: serviceaccount-token + readOnly: true + - name: control-plane-ca + mountPath: /var/run/secrets/kuma.io/cp-ca + readOnly: true + - name: tmp + mountPath: /tmp + volumes: + - name: serviceaccount-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3600 + path: token + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace + - name: control-plane-ca + secret: + secretName: "general-tls-secret" + items: + - key: ca.crt + path: ca.crt + - name: tmp + emptyDir: {} +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: kuma-admission-mutating-webhook-configuration + namespace: kuma-system + labels: + app: kuma-control-plane + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +webhooks: + - name: mesh.defaulter.kuma-admission.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Fail + clientConfig: + caBundle: XYZ + service: + namespace: kuma-system + name: kuma-control-plane + path: /default-kuma-io-v1alpha1-mesh + rules: + - apiGroups: + - kuma.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + resources: + - meshes + - meshaccesslogs + - meshcircuitbreakers + - meshfaultinjections + - meshhealthchecks + - meshhttproutes + - meshloadbalancingstrategies + - meshproxypatches + - meshratelimits + - meshretries + - meshtcproutes + - meshtimeouts + - meshtraces + - meshtrafficpermissions + sideEffects: None + - name: owner-reference.kuma-admission.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Fail + clientConfig: + caBundle: XYZ + service: + namespace: kuma-system + name: kuma-control-plane + path: /owner-reference-kuma-io-v1alpha1 + rules: + - apiGroups: + - kuma.io + apiVersions: + - v1alpha1 + operations: + - CREATE + resources: + - circuitbreakers + - externalservices + - faultinjections + - healthchecks + - meshgateways + - meshgatewayroutes + - proxytemplates + - ratelimits + - retries + - timeouts + - trafficlogs + - trafficpermissions + - trafficroutes + - traffictraces + - virtualoutbounds + - meshaccesslogs + - meshcircuitbreakers + - meshfaultinjections + - meshhealthchecks + - meshhttproutes + - meshloadbalancingstrategies + - meshproxypatches + - meshratelimits + - meshretries + - meshtcproutes + - meshtimeouts + - meshtraces + - meshtrafficpermissions + + + sideEffects: None + - name: namespace-kuma-injector.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Fail + namespaceSelector: + matchLabels: + kuma.io/sidecar-injection: enabled + clientConfig: + caBundle: XYZ + service: + namespace: kuma-system + name: kuma-control-plane + path: /inject-sidecar + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None + - name: pods-kuma-injector.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Fail + objectSelector: + matchLabels: + kuma.io/sidecar-injection: enabled + clientConfig: + caBundle: XYZ + service: + namespace: kuma-system + name: kuma-control-plane + path: /inject-sidecar + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None + - name: kuma-injector.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Ignore + clientConfig: + caBundle: XYZ + service: + namespace: kuma-system + name: kuma-control-plane + path: /inject-sidecar + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + sideEffects: None +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + name: kuma-validating-webhook-configuration + namespace: kuma-system + labels: + app: kuma-control-plane + app.kubernetes.io/name: kuma + app.kubernetes.io/instance: kuma +webhooks: + - name: validator.kuma-admission.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Fail + clientConfig: + caBundle: XYZ + service: + namespace: kuma-system + name: kuma-control-plane + path: /validate-kuma-io-v1alpha1 + rules: + - apiGroups: + - kuma.io + apiVersions: + - v1alpha1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - circuitbreakers + - dataplanes + - externalservices + - faultinjections + - gatewayinstances + - healthchecks + - meshes + - meshgateways + - meshgatewayroutes + - proxytemplates + - ratelimits + - retries + - trafficlogs + - trafficpermissions + - trafficroutes + - traffictraces + - virtualoutbounds + - zones + - containerpatches + - meshaccesslogs + - meshcircuitbreakers + - meshfaultinjections + - meshhealthchecks + - meshhttproutes + - meshloadbalancingstrategies + - meshproxypatches + - meshratelimits + - meshretries + - meshtcproutes + - meshtimeouts + - meshtraces + - meshtrafficpermissions + + + sideEffects: None + - name: service.validator.kuma-admission.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Ignore + clientConfig: + caBundle: XYZ + service: + namespace: kuma-system + name: kuma-control-plane + path: /validate-v1-service + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + resources: + - services + sideEffects: None + - name: secret.validator.kuma-admission.kuma.io + admissionReviewVersions: ["v1"] + namespaceSelector: + matchLabels: + kuma.io/system-namespace: "true" + failurePolicy: Ignore + clientConfig: + caBundle: XYZ + service: + namespace: kuma-system + name: kuma-control-plane + path: /validate-v1-secret + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + - UPDATE + - DELETE + resources: + - secrets + sideEffects: None + - name: gateway.validator.kuma-admission.kuma.io + admissionReviewVersions: ["v1"] + failurePolicy: Ignore + clientConfig: + caBundle: XYZ + service: + namespace: kuma-system + name: kuma-control-plane + path: /validate-gatewayclass + rules: + - apiGroups: + - "gateway.networking.k8s.io" + apiVersions: + - v1beta1 + operations: + - CREATE + resources: + - gatewayclasses + sideEffects: None diff --git a/app/kumactl/cmd/install/testdata/install-cp-helm/fix7824.values.yaml b/app/kumactl/cmd/install/testdata/install-cp-helm/fix7824.values.yaml new file mode 100644 index 000000000000..02017a414c5d --- /dev/null +++ b/app/kumactl/cmd/install/testdata/install-cp-helm/fix7824.values.yaml @@ -0,0 +1,22 @@ +global: + imagePullSecrets: [image-secret] +controlPlane: + kdsGlobalAddress: "grpcs://foo.com:3456" + mode: zone + zone: zone-1 + automountServiceAccountToken: false + serviceAccountAnnotations: + foo: '{"bar": "cp"}' + ping: "cp" +egress: + enabled: true + automountServiceAccountToken: false + serviceAccountAnnotations: + foo: '{"baz": "egress"}' + ping: "egress" +ingress: + enabled: true + automountServiceAccountToken: false + serviceAccountAnnotations: + foo: '{"baz": "ingress"}' + ping: "ingress" diff --git a/deployments/charts/kuma/README.md b/deployments/charts/kuma/README.md index e90ffa45ce8f..2f17e0585cb3 100644 --- a/deployments/charts/kuma/README.md +++ b/deployments/charts/kuma/README.md @@ -145,6 +145,8 @@ A Helm chart for the Kuma Control Plane | ingress.topologySpreadConstraints | string | `nil` | Topology spread constraints rule for the Kuma Mesh Ingress pods. This is rendered as a template, so you can use variables to generate match labels. | | ingress.podSecurityContext | object | `{"runAsGroup":5678,"runAsNonRoot":true,"runAsUser":5678}` | Security context at the pod level for ingress | | ingress.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for ingress | +| ingress.serviceAccountAnnotations | object | `{}` | Annotations to add for Control Plane's Service Account | +| ingress.automountServiceAccountToken | bool | `true` | Whether to automountServiceAccountToken for cp. Optionally set to false | | egress.enabled | bool | `false` | If true, it deploys Egress for cross cluster communication | | egress.extraLabels | object | `{}` | Labels to add to resources, in addition to the default labels. | | egress.drainTime | string | `"30s"` | Time for which old listener will still be active as draining | @@ -174,6 +176,8 @@ A Helm chart for the Kuma Control Plane | egress.topologySpreadConstraints | string | `nil` | Topology spread constraints rule for the Kuma Egress pods. This is rendered as a template, so you can use variables to generate match labels. | | egress.podSecurityContext | object | `{"runAsGroup":5678,"runAsNonRoot":true,"runAsUser":5678}` | Security context at the pod level for egress | | egress.containerSecurityContext | object | `{"readOnlyRootFilesystem":true}` | Security context at the container level for egress | +| egress.serviceAccountAnnotations | object | `{}` | Annotations to add for Control Plane's Service Account | +| egress.automountServiceAccountToken | bool | `true` | Whether to automountServiceAccountToken for cp. Optionally set to false | | kumactl.image.repository | string | `"kumactl"` | The kumactl image repository | | kumactl.image.tag | string | `nil` | The kumactl image tag. When not specified, the value is copied from global.tag | | kubectl.image.registry | string | `"docker.io"` | The kubectl image registry | diff --git a/deployments/charts/kuma/templates/cp-rbac.yaml b/deployments/charts/kuma/templates/cp-rbac.yaml index 953db4399634..4bcba8fc3305 100644 --- a/deployments/charts/kuma/templates/cp-rbac.yaml +++ b/deployments/charts/kuma/templates/cp-rbac.yaml @@ -4,10 +4,10 @@ metadata: name: {{ include "kuma.name" . }}-control-plane namespace: {{ .Release.Namespace }} labels: {{ include "kuma.cpLabels" . | nindent 4 }} - {{- with .Values.controlPlane.serviceAccountAnnotations }} +{{- with .Values.controlPlane.serviceAccountAnnotations }} annotations: {{- toYaml . | nindent 4 }} - {{- end }} +{{- end }} {{- with .Values.global.imagePullSecrets }} imagePullSecrets: {{- range . }} diff --git a/deployments/charts/kuma/templates/egress-deployment.yaml b/deployments/charts/kuma/templates/egress-deployment.yaml index c282203d7b17..b3ca0bd9ffbb 100644 --- a/deployments/charts/kuma/templates/egress-deployment.yaml +++ b/deployments/charts/kuma/templates/egress-deployment.yaml @@ -36,6 +36,7 @@ spec: securityContext: {{- toYaml .Values.egress.podSecurityContext | trim | nindent 8 }} serviceAccountName: {{ include "kuma.name" . }}-egress + automountServiceAccountToken: {{ .Values.egress.automountServiceAccountToken }} {{- with .Values.egress.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} @@ -96,12 +97,37 @@ spec: timeoutSeconds: 3 resources: {{ toYaml .Values.egress.resources | nindent 12 }} volumeMounts: +{{- if not .Values.egress.automountServiceAccountToken }} + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: serviceaccount-token + readOnly: true +{{- end }} - name: control-plane-ca mountPath: /var/run/secrets/kuma.io/cp-ca readOnly: true - name: tmp mountPath: /tmp volumes: +{{- if not .Values.egress.automountServiceAccountToken }} + - name: serviceaccount-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3600 + path: token + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +{{- end }} - name: control-plane-ca secret: secretName: {{ include "kuma.controlPlane.tls.general.caSecretName" . }} diff --git a/deployments/charts/kuma/templates/egress-rbac.yaml b/deployments/charts/kuma/templates/egress-rbac.yaml index e26a12d85fd7..1b4326fdb37b 100644 --- a/deployments/charts/kuma/templates/egress-rbac.yaml +++ b/deployments/charts/kuma/templates/egress-rbac.yaml @@ -5,4 +5,14 @@ metadata: name: {{ include "kuma.name" . }}-egress namespace: {{ .Release.Namespace }} labels: {{ include "kuma.egressLabels" . | nindent 4 }} +{{- with .Values.egress.serviceAccountAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} +{{- with .Values.global.imagePullSecrets }} +imagePullSecrets: + {{- range . }} + - name: {{ . | quote }} + {{- end }} +{{- end }} {{- end }} diff --git a/deployments/charts/kuma/templates/ingress-deployment.yaml b/deployments/charts/kuma/templates/ingress-deployment.yaml index b301c8f4e70c..d8fa5750c068 100644 --- a/deployments/charts/kuma/templates/ingress-deployment.yaml +++ b/deployments/charts/kuma/templates/ingress-deployment.yaml @@ -36,6 +36,7 @@ spec: securityContext: {{- toYaml .Values.ingress.podSecurityContext | trim | nindent 8 }} serviceAccountName: {{ include "kuma.name" . }}-ingress + automountServiceAccountToken: {{ .Values.ingress.automountServiceAccountToken }} {{- with .Values.ingress.nodeSelector }} nodeSelector: {{ toYaml . | nindent 8 }} @@ -100,12 +101,37 @@ spec: lifecycle: {{ . | toYaml | nindent 12 }} {{ end }} volumeMounts: +{{- if not .Values.ingress.automountServiceAccountToken }} + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: serviceaccount-token + readOnly: true +{{- end }} - name: control-plane-ca mountPath: /var/run/secrets/kuma.io/cp-ca readOnly: true - name: tmp mountPath: /tmp volumes: +{{- if not .Values.ingress.automountServiceAccountToken }} + - name: serviceaccount-token + projected: + defaultMode: 420 + sources: + - serviceAccountToken: + expirationSeconds: 3600 + path: token + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + path: namespace +{{- end }} - name: control-plane-ca secret: secretName: {{ include "kuma.controlPlane.tls.general.caSecretName" . }} diff --git a/deployments/charts/kuma/templates/ingress-rbac.yaml b/deployments/charts/kuma/templates/ingress-rbac.yaml index b99a52bd515f..e4e1d61ced7b 100644 --- a/deployments/charts/kuma/templates/ingress-rbac.yaml +++ b/deployments/charts/kuma/templates/ingress-rbac.yaml @@ -5,6 +5,10 @@ metadata: name: {{ include "kuma.name" . }}-ingress namespace: {{ .Release.Namespace }} labels: {{ include "kuma.ingressLabels" . | nindent 4 }} +{{- with .Values.ingress.serviceAccountAnnotations }} + annotations: + {{- toYaml . | nindent 4 }} +{{- end }} {{- with .Values.global.imagePullSecrets }} imagePullSecrets: {{- range . }} diff --git a/deployments/charts/kuma/values.yaml b/deployments/charts/kuma/values.yaml index 8c7db5e0833d..a3fda3d970a8 100644 --- a/deployments/charts/kuma/values.yaml +++ b/deployments/charts/kuma/values.yaml @@ -498,7 +498,12 @@ ingress: # -- Security context at the container level for ingress containerSecurityContext: - readOnlyRootFilesystem: true + readOnlyRootFilesystem: true + + # -- Annotations to add for Control Plane's Service Account + serviceAccountAnnotations: { } + # -- Whether to automountServiceAccountToken for cp. Optionally set to false + automountServiceAccountToken: true egress: # -- If true, it deploys Egress for cross cluster communication @@ -602,7 +607,12 @@ egress: # -- Security context at the container level for egress containerSecurityContext: - readOnlyRootFilesystem: true + readOnlyRootFilesystem: true + + # -- Annotations to add for Control Plane's Service Account + serviceAccountAnnotations: { } + # -- Whether to automountServiceAccountToken for cp. Optionally set to false + automountServiceAccountToken: true kumactl: image: diff --git a/docs/generated/raw/helm-values.yaml b/docs/generated/raw/helm-values.yaml index 8c7db5e0833d..a3fda3d970a8 100644 --- a/docs/generated/raw/helm-values.yaml +++ b/docs/generated/raw/helm-values.yaml @@ -498,7 +498,12 @@ ingress: # -- Security context at the container level for ingress containerSecurityContext: - readOnlyRootFilesystem: true + readOnlyRootFilesystem: true + + # -- Annotations to add for Control Plane's Service Account + serviceAccountAnnotations: { } + # -- Whether to automountServiceAccountToken for cp. Optionally set to false + automountServiceAccountToken: true egress: # -- If true, it deploys Egress for cross cluster communication @@ -602,7 +607,12 @@ egress: # -- Security context at the container level for egress containerSecurityContext: - readOnlyRootFilesystem: true + readOnlyRootFilesystem: true + + # -- Annotations to add for Control Plane's Service Account + serviceAccountAnnotations: { } + # -- Whether to automountServiceAccountToken for cp. Optionally set to false + automountServiceAccountToken: true kumactl: image: