WIP: set service account for multicontainerrun

kanisterio · Dec 9, 2024 · 0d6b029 · 0d6b029
1 parent a8d3db7
commit 0d6b029
Showing 1 changed file with 22 additions and 0 deletions.
diff --git a/pkg/function/multi_container_run.go b/pkg/function/multi_container_run.go
@@ -162,6 +162,11 @@ func (ktpf *multiContainerRunFunc) run(
 	// FIXME: this doesn't work with pod controller currently so we have to reorder containers
 	ktpf.annotations[defaultContainerAnn] = ktpOutputContainer
 
+	err = setPodSpecServiceAccount(&podSpec, ktpf.namespace, cli)
+	if err != nil {
+		return nil, errkit.Wrap(err, "Failed to set serviceaccount for pod")
+	}
+
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: jobPrefix,
@@ -194,6 +199,23 @@ func (ktpf *multiContainerRunFunc) run(
 	return getPodOutput(ctx, pc)
 }
 
+func setPodSpecServiceAccount(podSpec *corev1.PodSpec, ns string, cli kubernetes.Interface) error {
+	sa := podSpec.ServiceAccountName
+	controllerNamespace, err := kube.GetControllerNamespace()
+	if err != nil {
+		return errkit.Wrap(err, "Failed to get controller namespace")
+	}
+
+	if sa == "" && ns == controllerNamespace {
+		sa, err = kube.GetControllerServiceAccount(cli)
+		if err != nil {
+			return errkit.Wrap(err, "Failed to get Controller Service Account")
+		}
+	}
+	podSpec.ServiceAccountName = sa
+	return nil
+}
+
 // This function is similar to kubeTaskPodFunc
 func getPodOutput(ctx context.Context, pc kube.PodController) (map[string]interface{}, error) {
 	if err := pc.WaitForPodReady(ctx); err != nil {