Skip to content

fix: separate ServiceAccount for router workloads #433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ambient-code wants to merge 4 commits into
base: main
Choose a base branch
from
+185 −1
Open

fix: separate ServiceAccount for router workloads #433

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e4187ae
fix: separate ServiceAccount for router workloads (zero RBAC)
Apr 8, 2026
8bc4c6d
fix: revert Helm chart changes per maintainer feedback
Apr 8, 2026
93ce272
fix: allow router SA to access K8s API for config loading
Apr 8, 2026
8de3816
fix: remove unnecessary secrets permission from router Role
Apr 8, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion ...elm/jumpstarter/charts/jumpstarter-controller/templates/additional-router-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,7 @@ spec:
requests:
cpu: 1000m
memory: 256Mi
serviceAccountName: controller-manager
serviceAccountName: router-sa
automountServiceAccountToken: false
terminationGracePeriodSeconds: 10
{{ end }}
2 changes: 1 addition & 1 deletion ...y/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/leader_election_role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/name: jumpstarter-router
Copy link
Copy Markdown
Member

@mangelajo mangelajo Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do not modify any helm, it has been deprecated.

app.kubernetes.io/name: jumpstarter-controller
name: leader-election-role
namespace: {{ default .Release.Namespace .Values.namespace }}
rules:
Expand Down
2 changes: 1 addition & 1 deletion ...umpstarter/charts/jumpstarter-controller/templates/rbac/leader_election_role_binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: jumpstarter-router
app.kubernetes.io/name: jumpstarter-controller
namespace: {{ default .Release.Namespace .Values.namespace }}
name: leader-election-rolebinding
roleRef:
Expand Down
2 changes: 1 addition & 1 deletion ...er/deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/role_binding.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: jumpstarter-router
app.kubernetes.io/name: jumpstarter-controller
annotations:
argocd.argoproj.io/sync-wave: "-1"
name: jumpstarter-manager-rolebinding
Expand Down
13 changes: 12 additions & 1 deletion ...deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/rbac/service_account.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,19 @@ apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: jumpstarter-router
app.kubernetes.io/name: jumpstarter-controller
annotations:
argocd.argoproj.io/sync-wave: "-1"
name: controller-manager
namespace: {{ default .Release.Namespace .Values.namespace }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: jumpstarter-router
annotations:
argocd.argoproj.io/sync-wave: "-1"
name: router-sa
namespace: {{ default .Release.Namespace .Values.namespace }}
automountServiceAccountToken: false
3 changes: 2 additions & 1 deletion ...er/deploy/helm/jumpstarter/charts/jumpstarter-controller/templates/router-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -105,5 +105,6 @@ spec:
secret:
secretName: {{ .Values.grpc.tls.routerCertSecret }}
{{- end }}
serviceAccountName: controller-manager
serviceAccountName: router-sa
automountServiceAccountToken: false
terminationGracePeriodSeconds: 10
5 changes: 3 additions & 2 deletions controller/deploy/operator/internal/controller/jumpstarter/jumpstarter_controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1017,8 +1017,9 @@ func (r *JumpstarterReconciler) createRouterDeployment(jumpstarter *operatorv1al
Type: corev1.SeccompProfileTypeRuntimeDefault,
},
},
ServiceAccountName: fmt.Sprintf("%s-controller-manager", jumpstarter.Name),
TopologySpreadConstraints: jumpstarter.Spec.Routers.TopologySpreadConstraints,
ServiceAccountName: fmt.Sprintf("%s-router-sa", jumpstarter.Name),
AutomountServiceAccountToken: boolPtr(false),
TopologySpreadConstraints: jumpstarter.Spec.Routers.TopologySpreadConstraints,
},
},
},
Expand Down
57 changes: 57 additions & 0 deletions controller/deploy/operator/internal/controller/jumpstarter/rbac.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,46 @@ func (r *JumpstarterReconciler) reconcileRBAC(ctx context.Context, jumpstarter *
"namespace", existingSA.Namespace,
"operation", op)

// Router ServiceAccount (zero RBAC, no token automount)
desiredRouterSA := r.createRouterServiceAccount(jumpstarter)

existingRouterSA := &corev1.ServiceAccount{}
existingRouterSA.Name = desiredRouterSA.Name
existingRouterSA.Namespace = desiredRouterSA.Namespace

op, err = controllerutil.CreateOrUpdate(ctx, r.Client, existingRouterSA, func() error {
if existingRouterSA.CreationTimestamp.IsZero() {
existingRouterSA.Labels = desiredRouterSA.Labels
existingRouterSA.Annotations = desiredRouterSA.Annotations
existingRouterSA.AutomountServiceAccountToken = desiredRouterSA.AutomountServiceAccountToken
return nil
}

if !serviceAccountNeedsUpdate(existingRouterSA, desiredRouterSA) {
log.V(1).Info("Router ServiceAccount is up to date, skipping update",
"name", existingRouterSA.Name,
"namespace", existingRouterSA.Namespace)
return nil
}

existingRouterSA.Labels = desiredRouterSA.Labels
existingRouterSA.Annotations = desiredRouterSA.Annotations
existingRouterSA.AutomountServiceAccountToken = desiredRouterSA.AutomountServiceAccountToken
return nil
})

if err != nil {
log.Error(err, "Failed to reconcile Router ServiceAccount",
"name", desiredRouterSA.Name,
"namespace", desiredRouterSA.Namespace)
return err
}

log.Info("Router ServiceAccount reconciled",
"name", existingRouterSA.Name,
"namespace", existingRouterSA.Namespace,
"operation", op)

// Role
desiredRole := r.createRole(jumpstarter)

Expand Down Expand Up @@ -169,6 +209,23 @@ func (r *JumpstarterReconciler) createServiceAccount(jumpstarter *operatorv1alph
}
}

// createRouterServiceAccount creates a service account for the router with no RBAC permissions
func (r *JumpstarterReconciler) createRouterServiceAccount(jumpstarter *operatorv1alpha1.Jumpstarter) *corev1.ServiceAccount {
automount := false
return &corev1.ServiceAccount{
ObjectMeta: metav1.ObjectMeta{
Name: fmt.Sprintf("%s-router-sa", jumpstarter.Name),
Namespace: jumpstarter.Namespace,
Labels: map[string]string{
"app": "jumpstarter-router",
"app.kubernetes.io/name": "jumpstarter-router",
"app.kubernetes.io/managed-by": "jumpstarter-operator",
},
},
AutomountServiceAccountToken: &automount,
}
}

// createRole creates a role with necessary permissions for the controller
func (r *JumpstarterReconciler) createRole(jumpstarter *operatorv1alpha1.Jumpstarter) *rbacv1.Role {
return &rbacv1.Role{
Expand Down
Loading