remove option to enable shared service account

Author: Dmitriy Kalinin

cmd/controller/app_factory.go

@@ -15,14 +15,13 @@ import (
 )
 
 type AppFactory struct {
-	coreClient                kubernetes.Interface
-	appClient                 kcclient.Interface
-	allowSharedServiceAccount bool
+	coreClient kubernetes.Interface
+	appClient  kcclient.Interface
 }
 
 func (f *AppFactory) NewCRDApp(app *kcv1alpha1.App, log logr.Logger) *ctlapp.CRDApp {
 	fetchFactory := fetch.NewFactory(f.coreClient)
 	templateFactory := template.NewFactory(f.coreClient, fetchFactory)
-	deployFactory := deploy.NewFactory(f.coreClient, allowSharedServiceAccount)
+	deployFactory := deploy.NewFactory(f.coreClient)
 	return ctlapp.NewCRDApp(app, log, f.appClient, fetchFactory, templateFactory, deployFactory)
 }

cmd/controller/main.go

@@ -32,11 +32,10 @@ const (
 )
 
 var (
-	log                       = logf.Log.WithName("kc")
-	ctrlConcurrency           = 10
-	ctrlNamespace             = ""
-	allowSharedServiceAccount = false
-	enablePprof               = false
+	log             = logf.Log.WithName("kc")
+	ctrlConcurrency = 10
+	ctrlNamespace   = ""
+	enablePprof     = false
 )
 
 const (
@@ -46,8 +45,6 @@ const (
 func main() {
 	flag.IntVar(&ctrlConcurrency, "concurrency", 10, "Max concurrent reconciles")
 	flag.StringVar(&ctrlNamespace, "namespace", "", "Namespace to watch")
-	flag.BoolVar(&allowSharedServiceAccount, "dangerous-allow-shared-service-account",
-		false, "If set to true, allow use of shared service account instead of per-app service accounts")
 	flag.BoolVar(&enablePprof, "dangerous-enable-pprof", false, "If set to true, enable pprof on "+pprofListenAddr)
 	flag.Parse()
 
@@ -80,9 +77,8 @@ func main() {
 	}
 
 	appFactory := AppFactory{
-		coreClient:                coreClient,
-		appClient:                 appClient,
-		allowSharedServiceAccount: allowSharedServiceAccount,
+		coreClient: coreClient,
+		appClient:  appClient,
 	}
 
 	{ // add controller for apps
@@ -113,10 +109,6 @@ func main() {
 
 	entryLog.Info("starting manager")
 
-	if allowSharedServiceAccount {
-		entryLog.Info("DANGEROUS in production setting -- allow shared service account")
-	}
-
 	if enablePprof {
 		entryLog.Info("DANGEROUS in production setting -- pprof running", "listen-addr", pprofListenAddr)
 		go func() {

config/deployment.yml

@@ -21,8 +21,6 @@ spec:
       - name: kapp-controller
         image: kapp-controller
         args:
-        #@ if/end data.values.dangerous_allow_shared_service_account:
-        - -dangerous-allow-shared-service-account=true
         #@ if/end data.values.dangerous_enable_pprof:
         - -dangerous-enable-pprof=true
         env:

config/rbac.yml

@@ -12,18 +12,12 @@ apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: kapp-controller-cluster-role
 rules:
-#@ if data.values.dangerous_allow_shared_service_account:
-- apiGroups: ["*"]
-  resources: ["*"]
-  verbs: ["*"]
-#@ else:
 - apiGroups: [""]
   resources: ["serviceaccounts", "secrets", "configmaps"]
   verbs: ["get"]
 - apiGroups: ["kappctrl.k14s.io"]
   resources: ["apps", "apps/status"]
   verbs: ["*"]
-#@ end
 ---
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1

config/values.yml

@@ -3,7 +3,6 @@
 namespace: kapp-controller
 create_namespace: true
 
-dangerous_allow_shared_service_account: false
 dangerous_enable_pprof: false
 
 push_images: false

hack/build-release.sh

@@ -4,10 +4,7 @@ set -e -x -u
 
 mkdir -p tmp/
 
-ytt -f config/ -f config-release | kbld -f- > ./tmp/release.yml --lock-output ./tmp/images.yml
-
-shared_sa_flags="--data-value-yaml dangerous_allow_shared_service_account=true"
-ytt -f config/ -f config-release $shared_sa_flags | kbld -f- -f ./tmp/images.yml > ./tmp/release-dangerous-allow-shared-sa.yml
+ytt -f config/ -f config-release | kbld -f- > ./tmp/release.yml
 
 shasum -a 256 ./tmp/release*.yml
 

pkg/deploy/factory.go

@@ -11,16 +11,14 @@ import (
 )
 
 type Factory struct {
-	coreClient                kubernetes.Interface
-	allowSharedServiceAccount bool
+	coreClient kubernetes.Interface
 
 	kubeconfigSecrets *KubeconfigSecrets
 	serviceAccounts   *ServiceAccounts
 }
 
-func NewFactory(coreClient kubernetes.Interface, allowSharedServiceAccount bool) Factory {
-	return Factory{coreClient, allowSharedServiceAccount,
-		NewKubeconfigSecrets(coreClient), NewServiceAccounts(coreClient)}
+func NewFactory(coreClient kubernetes.Interface) Factory {
+	return Factory{coreClient, NewKubeconfigSecrets(coreClient), NewServiceAccounts(coreClient)}
 }
 
 func (f Factory) NewKapp(opts v1alpha1.AppDeployKapp, saName string,
@@ -42,9 +40,7 @@ func (f Factory) NewKapp(opts v1alpha1.AppDeployKapp, saName string,
 		}
 
 	default:
-		if !f.allowSharedServiceAccount {
-			return nil, fmt.Errorf("Expected service account or cluster specified (shared service account is not allowed)")
-		}
+		return nil, fmt.Errorf("Expected service account or cluster specified")
 	}
 
 	return NewKapp(opts, genericOpts, cancelCh), nil