Allow selecting a specific service account for privileged containers (#…

…125)

Co-authored-by: Otmane TAZI <[email protected]>

kube/kubernetes_api_service.go

@@ -25,7 +25,7 @@ type KubernetesApiService interface {
 
 	DeletePod(podName string) error
 
-	CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration) (*corev1.Pod, error)
+	CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration, serviceaccount string) (*corev1.Pod, error)
 
 	UploadFile(localPath string, remotePath string, podName string, containerName string) error
 }
@@ -102,7 +102,7 @@ func (k *KubernetesApiServiceImpl) DeletePod(podName string) error {
 	return err
 }
 
-func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration) (*corev1.Pod, error) {
+func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, containerName string, image string, socketPath string, timeout time.Duration, serviceaccount string) (*corev1.Pod, error) {
 	log.Debugf("creating privileged pod on remote node")
 
 	isSupported, err := k.IsSupportedContainerRuntime(nodeName)
@@ -194,6 +194,10 @@ func (k *KubernetesApiServiceImpl) CreatePrivilegedPod(nodeName string, containe
 		},
 	}
 
+	if serviceaccount != "" {
+		podSpecs.ServiceAccountName = serviceaccount
+	}
+
 	pod := corev1.Pod{
 		TypeMeta:   typeMetadata,
 		ObjectMeta: objectMetadata,

pkg/cmd/sniff.go

@@ -150,6 +150,11 @@ func NewCmdSniff(streams genericclioptions.IOStreams) *cobra.Command {
 	_ = viper.BindEnv("socket", "KUBECTL_PLUGINS_SOCKET_PATH")
 	_ = viper.BindPFlag("socket", cmd.Flags().Lookup("socket"))
 
+	cmd.Flags().StringVarP(&ksniffSettings.UserSpecifiedServiceAccount, "serviceaccount", "s", "",
+		"the privileged container service account (optional)")
+	_ = viper.BindEnv("serviceaccount", "KUBECTL_PLUGINS_LOCAL_FLAG_SERVICE_ACCOUNT")
+	_ = viper.BindPFlag("serviceaccount", cmd.Flags().Lookup("serviceaccount"))
+
 	return cmd
 }
 
@@ -178,10 +183,10 @@ func (o *Ksniff) Complete(cmd *cobra.Command, args []string) error {
 	o.settings.Image = viper.GetString("image")
 	o.settings.TCPDumpImage = viper.GetString("tcpdump-image")
 	o.settings.SocketPath = viper.GetString("socket")
-
 	o.settings.UseDefaultImage = !viper.IsSet("image")
 	o.settings.UseDefaultTCPDumpImage = !viper.IsSet("tcpdump-image")
 	o.settings.UseDefaultSocketPath = !viper.IsSet("socket")
+	o.settings.UserSpecifiedServiceAccount = viper.GetString("serviceaccount")
 
 	var err error
 
@@ -276,6 +281,11 @@ func (o *Ksniff) Validate() error {
 		}
 
 		log.Infof("using tcpdump path at: '%s'", o.settings.UserSpecifiedLocalTcpdumpPath)
+	} else if o.settings.UserSpecifiedServiceAccount != "" {
+		_, err := o.clientset.CoreV1().ServiceAccounts(o.resultingContext.Namespace).Get(context.TODO(), o.settings.UserSpecifiedServiceAccount, v1.GetOptions{})
+		if err != nil {
+			return err
+		}
 	}
 
 	pod, err := o.clientset.CoreV1().Pods(o.resultingContext.Namespace).Get(context.TODO(), o.settings.UserSpecifiedPodName, v1.GetOptions{})

pkg/config/settings.go

@@ -1,8 +1,9 @@
 package config
 
 import (
-	"k8s.io/cli-runtime/pkg/genericclioptions"
 	"time"
+
+	"k8s.io/cli-runtime/pkg/genericclioptions"
 )
 
 type KsniffSettings struct {
@@ -28,6 +29,7 @@ type KsniffSettings struct {
 	UserSpecifiedKubeContext       string
 	SocketPath                     string
 	UseDefaultSocketPath           bool
+	UserSpecifiedServiceAccount    string
 }
 
 func NewKsniffSettings(streams genericclioptions.IOStreams) *KsniffSettings {

pkg/service/sniffer/privileged_pod_sniffer_service.go

@@ -48,6 +48,7 @@ func (p *PrivilegedPodSnifferService) Setup() error {
 		p.settings.Image,
 		p.settings.SocketPath,
 		p.settings.UserSpecifiedPodCreateTimeout,
+		p.settings.UserSpecifiedServiceAccount,
 	)
 	if err != nil {
 		log.WithError(err).Errorf("failed to create privileged pod on node: '%s'", p.settings.DetectedPodNodeName)