added custom service account (#1438)

* added custom service account - pre-tests * helm fix
robusta-dev · May 26, 2024 · d7ace4e · d7ace4e
1 parent 0d2dcc1
commit d7ace4e
Show file tree

Hide file tree

Showing 8 changed files with 23 additions and 7 deletions.
diff --git a/helm/robusta/templates/forwarder.yaml b/helm/robusta/templates/forwarder.yaml
@@ -22,7 +22,11 @@ spec:
         {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
+      {{- if .Values.kubewatch.customServiceAccount }}
+      serviceAccountName: {{ .Values.kubewatch.customServiceAccount }}
+      {{ else }}
       serviceAccountName: {{ include "robusta.fullname" . }}-forwarder-service-account
+      {{- end }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- if .Values.kubewatch.imagePullSecrets }}
       imagePullSecrets:

diff --git a/helm/robusta/templates/runner.yaml b/helm/robusta/templates/runner.yaml
@@ -26,7 +26,11 @@ spec:
         {{- end }}
       {{- end }}
     spec:
+      {{- if .Values.runner.customServiceAccount }}
+      serviceAccountName: {{ .Values.runner.customServiceAccount }}
+      {{ else }}
       serviceAccountName: {{ include "robusta.fullname" . }}-runner-service-account
+      {{- end }}
       automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- if .Values.runner.imagePullSecrets }}
       imagePullSecrets:
@@ -53,6 +57,10 @@ spec:
             value: /etc/robusta/config/active_playbooks.yaml
           - name: RELEASE_NAME
             value: {{ include "robusta.fullname" .| quote }}
+          {{- if .Values.runner.customServiceAccount }}
+          - name: RUNNER_SERVICE_ACCOUNT
+            value: {{ .Values.runner.customServiceAccount }}
+          {{- end }}
           - name: PROMETHEUS_ENABLED
             value: {{ .Values.enablePrometheusStack | quote}}
           - name: MANAGED_CONFIGURATION_ENABLED

diff --git a/helm/robusta/values.yaml b/helm/robusta/values.yaml
@@ -551,6 +551,7 @@ kubewatch:
       readOnlyRootFilesystem: false
       runAsUser: 1000
     pod: {}
+  customServiceAccount: "" # to override the kubewatch service account
   serviceAccount:
     # Additional annotations for the ServiceAccount.
     annotations: {}
@@ -587,6 +588,7 @@ runner:
   sentry_dsn: https://[email protected]/6156573
   sendAdditionalTelemetry: false
   certificate: "" # base64 encoded
+  customServiceAccount: "" # to override the runner service account
   resources:
     requests:
       cpu: 250m

diff --git a/playbooks/robusta_playbooks/krr.py b/playbooks/robusta_playbooks/krr.py
@@ -10,10 +10,9 @@
 from hikaru.model.rel_1_26 import Container, EnvVar, EnvVarSource, PodSpec, ResourceRequirements, SecretKeySelector
 from prometrix import AWSPrometheusConfig, CoralogixPrometheusConfig, PrometheusAuthorization, PrometheusConfig
 from pydantic import BaseModel, ValidationError, validator
-
 from robusta.api import (
     IMAGE_REGISTRY,
-    RELEASE_NAME,
+    RUNNER_SERVICE_ACCOUNT,
     EnrichmentAnnotation,
     ExecutionBaseEvent,
     Finding,
@@ -110,7 +109,7 @@ class KRRParams(PrometheusParams, PodRunningParams):
     :var krr_verbose: Run krr job with verbose logging
     """
 
-    serviceAccountName: str = f"{RELEASE_NAME}-runner-service-account"
+    serviceAccountName: str = RUNNER_SERVICE_ACCOUNT
     strategy: str = "simple"
     args: Optional[str] = None
     krr_args: str = ""

diff --git a/playbooks/robusta_playbooks/popeye.py b/playbooks/robusta_playbooks/popeye.py
@@ -11,7 +11,7 @@
 from hikaru.model.rel_1_26 import Container, PodSpec, ResourceRequirements
 from pydantic import BaseModel, ValidationError
 from robusta.api import (
-    RELEASE_NAME,
+    RUNNER_SERVICE_ACCOUNT,
     EnrichmentAnnotation,
     ExecutionBaseEvent,
     Finding,
@@ -79,7 +79,7 @@ class PopeyeParams(PodRunningParams):
     :var service_account_name: The account name to use for the Popeye scan job.
     """
 
-    service_account_name: str = f"{RELEASE_NAME}-runner-service-account"
+    service_account_name: str = RUNNER_SERVICE_ACCOUNT
     timeout = 300
     args: Optional[str] = None
     popeye_args: str = "-s no,ns,po,svc,sa,cm,dp,sts,ds,pv,pvc,hpa,pdb,cr,crb,ro,rb,ing,np,psp"

diff --git a/src/robusta/api/__init__.py b/src/robusta/api/__init__.py
@@ -70,6 +70,7 @@
     ROBUSTA_LOGO_URL,
     ROBUSTA_TELEMETRY_ENDPOINT,
     ROBUSTA_UI_DOMAIN,
+    RUNNER_SERVICE_ACCOUNT,
     RUNNER_VERSION,
     SEND_ADDITIONAL_TELEMETRY,
     SERVICE_CACHE_MAX_SIZE,

diff --git a/src/robusta/core/model/env_vars.py b/src/robusta/core/model/env_vars.py
@@ -65,6 +65,8 @@ def load_bool(env_var, default: bool):
 SEND_ADDITIONAL_TELEMETRY = os.environ.get("SEND_ADDITIONAL_TELEMETRY", "false").lower() == "true"
 RELEASE_NAME = os.environ.get("RELEASE_NAME", "robusta")
 
+RUNNER_SERVICE_ACCOUNT = os.environ.get("RUNNER_SERVICE_ACCOUNT", f"{RELEASE_NAME}-runner-service-account")
+
 TELEMETRY_PERIODIC_SEC = int(os.environ.get("TELEMETRY_PERIODIC_SEC", 60 * 60 * 24))  # 24H
 
 SLACK_TABLE_COLUMNS_LIMIT = int(os.environ.get("SLACK_TABLE_COLUMNS_LIMIT", 3))

diff --git a/src/robusta/integrations/kubernetes/custom_models.py b/src/robusta/integrations/kubernetes/custom_models.py
@@ -13,7 +13,7 @@
 from kubernetes.client import ApiException
 from pydantic import BaseModel
 
-from robusta.core.model.env_vars import IMAGE_REGISTRY, INSTALLATION_NAMESPACE, RELEASE_NAME
+from robusta.core.model.env_vars import IMAGE_REGISTRY, INSTALLATION_NAMESPACE, RUNNER_SERVICE_ACCOUNT
 from robusta.integrations.kubernetes.api_client_utils import (
     SUCCEEDED_STATE,
     exec_shell_command,
@@ -251,7 +251,7 @@ def create_debugger_pod(
                 annotations=custom_annotations,
             ),
             spec=PodSpec(
-                serviceAccountName=f"{RELEASE_NAME}-runner-service-account",
+                serviceAccountName=RUNNER_SERVICE_ACCOUNT,
                 hostPID=True,
                 nodeName=node_name,
                 restartPolicy="OnFailure",