From 2785ae1cd1c4ef2e45279a374a2f06f53b600351 Mon Sep 17 00:00:00 2001 From: Yossi Boaron Date: Thu, 27 Nov 2025 12:06:46 +0200 Subject: [PATCH] Use dedicated service accounts for multus pods Fix multus and cni-sysctl-allowlist-ds to use dedicated service accounts instead of default. Signed-off-by: Yossi Boaron --- bindata/allowlist/daemonset/daemonset.yaml | 1 + bindata/network/multus/multus.yaml | 2 - pkg/network/multus_test.go | 51 ++++++++++++++++++++++ 3 files changed, 52 insertions(+), 2 deletions(-) diff --git a/bindata/allowlist/daemonset/daemonset.yaml b/bindata/allowlist/daemonset/daemonset.yaml index cb4f06e1aa..e177cf7677 100644 --- a/bindata/allowlist/daemonset/daemonset.yaml +++ b/bindata/allowlist/daemonset/daemonset.yaml @@ -18,6 +18,7 @@ spec: cluster-autoscaler.kubernetes.io/enable-ds-eviction: "false" spec: hostNetwork: true + serviceAccountName: multus-ancillary-tools containers: - name: kube-multus-additional-cni-plugins image: {{.MultusImage}} diff --git a/bindata/network/multus/multus.yaml b/bindata/network/multus/multus.yaml index 841f6eae1e..f796dbc0b2 100644 --- a/bindata/network/multus/multus.yaml +++ b/bindata/network/multus/multus.yaml @@ -244,9 +244,7 @@ spec: hostPID: true nodeSelector: kubernetes.io/os: linux -{{ if not .NETWORK_NODE_IDENTITY_ENABLE }} serviceAccountName: multus -{{ end }} priorityClassName: "system-node-critical" tolerations: - operator: Exists diff --git a/pkg/network/multus_test.go b/pkg/network/multus_test.go index 6a16703569..fb417eae1d 100644 --- a/pkg/network/multus_test.go +++ b/pkg/network/multus_test.go @@ -6,6 +6,7 @@ import ( operv1 "github.com/openshift/api/operator/v1" . "github.com/onsi/gomega" + uns "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" ) var MultusConfig = operv1.Network{ @@ -55,3 +56,53 @@ func TestRenderMultus(t *testing.T) { g.Expect(objs).To(ContainElement(HaveKubernetesID("ClusterRole", "", "multus"))) g.Expect(objs).To(ContainElement(HaveKubernetesID("DaemonSet", "openshift-multus", "multus"))) } + +// TestMultusServiceAccountAlwaysSet tests service account is set with and without node identity +func TestMultusServiceAccountAlwaysSet(t *testing.T) { + g := NewGomegaWithT(t) + + crd := MultusConfig.DeepCopy() + config := &crd.Spec + enabled := false + config.DisableMultiNetwork = &enabled + fillDefaults(config, nil) + + // Test without node identity + bootstrapWithoutNodeIdentity := fakeBootstrapResult() + bootstrapWithoutNodeIdentity.Infra.NetworkNodeIdentityEnabled = false + + objs, err := renderMultus(config, bootstrapWithoutNodeIdentity, manifestDir) + g.Expect(err).NotTo(HaveOccurred()) + + daemonSet := findDaemonSet(objs, "openshift-multus", "multus") + g.Expect(daemonSet).NotTo(BeNil()) + + serviceAccount, found, err := uns.NestedString(daemonSet.Object, "spec", "template", "spec", "serviceAccountName") + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(found).To(BeTrue()) + g.Expect(serviceAccount).To(Equal("multus")) + + // Test with node identity + bootstrapWithNodeIdentity := fakeBootstrapResult() + bootstrapWithNodeIdentity.Infra.NetworkNodeIdentityEnabled = true + + objs, err = renderMultus(config, bootstrapWithNodeIdentity, manifestDir) + g.Expect(err).NotTo(HaveOccurred()) + + daemonSet = findDaemonSet(objs, "openshift-multus", "multus") + g.Expect(daemonSet).NotTo(BeNil()) + + serviceAccount, found, err = uns.NestedString(daemonSet.Object, "spec", "template", "spec", "serviceAccountName") + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(found).To(BeTrue()) + g.Expect(serviceAccount).To(Equal("multus")) +} + +func findDaemonSet(objs []*uns.Unstructured, namespace, name string) *uns.Unstructured { + for _, obj := range objs { + if obj.GetKind() == "DaemonSet" && obj.GetNamespace() == namespace && obj.GetName() == name { + return obj + } + } + return nil +}