diff --git a/cli/cmd/inject.go b/cli/cmd/inject.go index a2a4a6589dcb3..9354dd3f32685 100644 --- a/cli/cmd/inject.go +++ b/cli/cmd/inject.go @@ -309,6 +309,7 @@ func (resourceTransformerInject) generateReport(reports []inject.Report, output if len(automountServiceAccountTokenFalse) == 0 && verbose { output.Write([]byte(fmt.Sprintf("%s %s\n", okStatus, automountServiceAccountTokenDesc))) } + // // Summary // diff --git a/pkg/inject/report.go b/pkg/inject/report.go index ce7bb8094b403..2eb4f0c35eff5 100644 --- a/pkg/inject/report.go +++ b/pkg/inject/report.go @@ -91,6 +91,11 @@ func newReport(conf *ResourceConfig) *Report { if conf.pod.spec.AutomountServiceAccountToken != nil { report.AutomountServiceAccountToken = *conf.pod.spec.AutomountServiceAccountToken } + if conf.origin == OriginWebhook { + if vm := conf.serviceAccountVolumeMount(); vm == nil { + report.AutomountServiceAccountToken = false + } + } } else if report.Kind != k8s.Namespace { report.UnsupportedResource = true } diff --git a/pkg/inject/report_test.go b/pkg/inject/report_test.go index c2f219db5348e..ec74f4b727546 100644 --- a/pkg/inject/report_test.go +++ b/pkg/inject/report_test.go @@ -19,7 +19,18 @@ func TestInjectable(t *testing.T) { reasons []string }{ { - podSpec: &corev1.PodSpec{HostNetwork: false}, + podSpec: &corev1.PodSpec{ + HostNetwork: false, + Containers: []corev1.Container{ + { + VolumeMounts: []corev1.VolumeMount{ + { + MountPath: k8s.MountPathServiceAccount, + }, + }, + }, + }, + }, podMeta: &metav1.ObjectMeta{ Annotations: map[string]string{ k8s.ProxyInjectAnnotation: k8s.ProxyInjectEnabled, @@ -28,7 +39,18 @@ func TestInjectable(t *testing.T) { injectable: true, }, { - podSpec: &corev1.PodSpec{HostNetwork: true}, + podSpec: &corev1.PodSpec{ + HostNetwork: true, + Containers: []corev1.Container{ + { + VolumeMounts: []corev1.VolumeMount{ + { + MountPath: k8s.MountPathServiceAccount, + }, + }, + }, + }, + }, podMeta: &metav1.ObjectMeta{ Annotations: map[string]string{ k8s.ProxyInjectAnnotation: k8s.ProxyInjectEnabled, @@ -43,6 +65,11 @@ func TestInjectable(t *testing.T) { { Name: k8s.ProxyContainerName, Image: "ghcr.io/linkerd/proxy:", + VolumeMounts: []corev1.VolumeMount{ + { + MountPath: k8s.MountPathServiceAccount, + }, + }, }, }, }, @@ -62,6 +89,15 @@ func TestInjectable(t *testing.T) { Image: "ghcr.io/linkerd/proxy-init:", }, }, + Containers: []corev1.Container{ + { + VolumeMounts: []corev1.VolumeMount{ + { + MountPath: k8s.MountPathServiceAccount, + }, + }, + }, + }, }, podMeta: &metav1.ObjectMeta{ Annotations: map[string]string{ @@ -73,7 +109,17 @@ func TestInjectable(t *testing.T) { }, { unsupportedResource: true, - podSpec: &corev1.PodSpec{}, + podSpec: &corev1.PodSpec{ + Containers: []corev1.Container{ + { + VolumeMounts: []corev1.VolumeMount{ + { + MountPath: k8s.MountPathServiceAccount, + }, + }, + }, + }, + }, podMeta: &metav1.ObjectMeta{ Annotations: map[string]string{ k8s.ProxyInjectAnnotation: k8s.ProxyInjectEnabled, @@ -84,7 +130,18 @@ func TestInjectable(t *testing.T) { }, { unsupportedResource: true, - podSpec: &corev1.PodSpec{HostNetwork: true}, + podSpec: &corev1.PodSpec{ + HostNetwork: true, + Containers: []corev1.Container{ + { + VolumeMounts: []corev1.VolumeMount{ + { + MountPath: k8s.MountPathServiceAccount, + }, + }, + }, + }, + }, podMeta: &metav1.ObjectMeta{ Annotations: map[string]string{ k8s.ProxyInjectAnnotation: k8s.ProxyInjectEnabled, @@ -98,7 +155,18 @@ func TestInjectable(t *testing.T) { nsAnnotations: map[string]string{ k8s.ProxyInjectAnnotation: k8s.ProxyInjectEnabled, }, - podSpec: &corev1.PodSpec{HostNetwork: true}, + podSpec: &corev1.PodSpec{ + HostNetwork: true, + Containers: []corev1.Container{ + { + VolumeMounts: []corev1.VolumeMount{ + { + MountPath: k8s.MountPathServiceAccount, + }, + }, + }, + }, + }, podMeta: &metav1.ObjectMeta{ Annotations: map[string]string{ k8s.ProxyInjectAnnotation: k8s.ProxyInjectDisabled, @@ -113,7 +181,18 @@ func TestInjectable(t *testing.T) { k8s.ProxyInjectAnnotation: k8s.ProxyInjectEnabled, }, unsupportedResource: true, - podSpec: &corev1.PodSpec{HostNetwork: true}, + podSpec: &corev1.PodSpec{ + HostNetwork: true, + Containers: []corev1.Container{ + { + VolumeMounts: []corev1.VolumeMount{ + { + MountPath: k8s.MountPathServiceAccount, + }, + }, + }, + }, + }, podMeta: &metav1.ObjectMeta{ Annotations: map[string]string{ k8s.ProxyInjectAnnotation: k8s.ProxyInjectDisabled, @@ -125,7 +204,18 @@ func TestInjectable(t *testing.T) { }, { unsupportedResource: true, - podSpec: &corev1.PodSpec{HostNetwork: true}, + podSpec: &corev1.PodSpec{ + HostNetwork: true, + Containers: []corev1.Container{ + { + VolumeMounts: []corev1.VolumeMount{ + { + MountPath: k8s.MountPathServiceAccount, + }, + }, + }, + }, + }, podMeta: &metav1.ObjectMeta{ Annotations: map[string]string{}, }, @@ -139,6 +229,11 @@ func TestInjectable(t *testing.T) { { Name: k8s.ProxyContainerName, Image: "ghcr.io/linkerd/proxy:", + VolumeMounts: []corev1.VolumeMount{ + { + MountPath: k8s.MountPathServiceAccount, + }, + }, }, }}, podMeta: &metav1.ObjectMeta{ @@ -148,6 +243,16 @@ func TestInjectable(t *testing.T) { injectable: false, reasons: []string{hostNetworkEnabled, sidecarExists, injectEnableAnnotationAbsent}, }, + { + podSpec: &corev1.PodSpec{}, + podMeta: &metav1.ObjectMeta{ + Annotations: map[string]string{ + k8s.ProxyInjectAnnotation: k8s.ProxyInjectEnabled, + }, + }, + injectable: false, + reasons: []string{disabledAutomountServiceAccountToken}, + }, } for i, testCase := range testCases {