From 0d6b0293acf696b3bcf8ed172963bcd7cd623854 Mon Sep 17 00:00:00 2001
From: Daniil Fedotov <daniil.fedotov@kasten.io>
Date: Mon, 9 Dec 2024 14:24:57 -0500
Subject: [PATCH] WIP: set service account for multicontainerrun

---
 pkg/function/multi_container_run.go | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/pkg/function/multi_container_run.go b/pkg/function/multi_container_run.go
index 316f046849..859bbf1899 100644
--- a/pkg/function/multi_container_run.go
+++ b/pkg/function/multi_container_run.go
@@ -162,6 +162,11 @@ func (ktpf *multiContainerRunFunc) run(
 	// FIXME: this doesn't work with pod controller currently so we have to reorder containers
 	ktpf.annotations[defaultContainerAnn] = ktpOutputContainer
 
+	err = setPodSpecServiceAccount(&podSpec, ktpf.namespace, cli)
+	if err != nil {
+		return nil, errkit.Wrap(err, "Failed to set serviceaccount for pod")
+	}
+
 	pod := &corev1.Pod{
 		ObjectMeta: metav1.ObjectMeta{
 			GenerateName: jobPrefix,
@@ -194,6 +199,23 @@ func (ktpf *multiContainerRunFunc) run(
 	return getPodOutput(ctx, pc)
 }
 
+func setPodSpecServiceAccount(podSpec *corev1.PodSpec, ns string, cli kubernetes.Interface) error {
+	sa := podSpec.ServiceAccountName
+	controllerNamespace, err := kube.GetControllerNamespace()
+	if err != nil {
+		return errkit.Wrap(err, "Failed to get controller namespace")
+	}
+
+	if sa == "" && ns == controllerNamespace {
+		sa, err = kube.GetControllerServiceAccount(cli)
+		if err != nil {
+			return errkit.Wrap(err, "Failed to get Controller Service Account")
+		}
+	}
+	podSpec.ServiceAccountName = sa
+	return nil
+}
+
 // This function is similar to kubeTaskPodFunc
 func getPodOutput(ctx context.Context, pc kube.PodController) (map[string]interface{}, error) {
 	if err := pc.WaitForPodReady(ctx); err != nil {