neonvm: add support for mounting service account tokens #1316
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
No changes to the coverage.
HTML Report |
|
Hmm. This doesn't yet work for accessing the aws-iam-token volume mount which is automatically created for us. I'll have to think more for a potential solution. Ideally we'd have some way to encode that "this volumemount already exists, but please watch it anyway". Maybe a "none" disk? Additionally, if the VM wants access to the kubernetes API (why??) then we would need to somehow get the local kubernetes API endpoint into the VM - I imagine we don't need this |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Service account tokens can be created by kubernetes and automatically mounted to the pod using a projected volume: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#launch-a-pod-using-service-account-token-projection.
In EKS and AKS, there is a separate mechanism that watches pods for their service accounts, and adds a projection volumemount if that service account has an IAM policy in the annotations. https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html#_step_2_create_and_associate_iam_role. Since we don't control the volume, I've added an implicit disk source to handle this.
Using the sync mechanism, we can then mirror those into the VM.