Skip to content
This repository has been archived by the owner on Oct 14, 2024. It is now read-only.

Allow to define non-default serviceAccount for the runtime-scan-job #665

Open
ruzmuh opened this issue Jul 23, 2024 · 0 comments
Open

Allow to define non-default serviceAccount for the runtime-scan-job #665

ruzmuh opened this issue Jul 23, 2024 · 0 comments

Comments

@ruzmuh
Copy link

ruzmuh commented Jul 23, 2024

Is your feature request related to a problem? Please describe.
At the moment, we cannot set the serviceAccount for runtime-scan-jobs using Helm. Moreover, it always uses the default serviceAccount. This limitation doesn't allow us to use existing serviceAccounts to provide access to artifactRegistry using Workload Identity instead of keeping google service account in kubernetes secret (gcr-sa).

Describe the solution you'd like
I would like to have the ability to set the serviceAccount for runtime-scan-jobs using a Helm variable .Values.kubeclarity-runtime-scan.serviceAccount.name.
Here is an example of how it could be implemented in scanner-template-configmap.yaml:

          {{- if index .Values "kubeclarity-runtime-scan" "serviceAccount" "name"}}
          serviceAccount: {{ index .Values "kubeclarity-runtime-scan" "serviceAccount" "name" | quote} }
          {{- end}}

Describe alternatives you've considered
We can modify the kubeclarity-kubeclarity-scanner-template ConfigMap by hand, but this approach is inconvenient and error-prone. We also can

Additional context
By adding this feature, users would be able to utilize existing serviceAccounts, which is particularly useful for providing necessary permissions, such as access to artifactRegistry in GCP.

@ramizpolic ramizpolic changed the title Allow to define non-default serviceAccount for the runtime-scan-job [kubeclarity] Allow to define non-default serviceAccount for the runtime-scan-job Aug 8, 2024
@ramizpolic ramizpolic changed the title [kubeclarity] Allow to define non-default serviceAccount for the runtime-scan-job Allow to define non-default serviceAccount for the runtime-scan-job Aug 8, 2024
@ramizpolic ramizpolic transferred this issue from openclarity/openclarity Aug 8, 2024
@ramizpolic ramizpolic transferred this issue from another repository Aug 10, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant