Kubectl: serviceAccountName default value
Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.4", GitCommit:"d6f433224538d4f9ca2f7ae19b252e6fcb66a3ae", GitTreeState:"clean", BuildDate:"2017-05-19T20:41:07Z", GoVersion:"go1.8.1", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.2+coreos.0", GitCommit:"79fee581ce4a35b7791fdd92e0fc97e02ef1d5c0", GitTreeState:"clean", BuildDate:"2017-04-19T23:13:34Z", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
Environment:
- Cloud provider or hardware configuration: AWS
- OS (e.g. from /etc/os-release):
NAME="Container Linux by CoreOS"
ID=coreos
VERSION=1353.8.0
VERSION_ID=1353.8.0
BUILD_ID=2017-05-30-2322
PRETTY_NAME="Container Linux by CoreOS 1353.8.0 (Ladybug)"
ANSI_COLOR="38;5;75"
HOME_URL="https://coreos.com/"
BUG_REPORT_URL="https://issues.coreos.com"
- Kernel (e.g.
uname -a):
Linux ip-10-66-21-135.eu-west-1.compute.internal 4.9.24-coreos #1 SMP Tue May 30 23:12:01 UTC 2017 x86_64 Intel(R) Xeon(R) CPU E5-2666 v3 @ 2.90GHz GenuineIntel GNU/Linux
- Install tools:
terraform - Others: N/A
What happened:
- Given the following manifest:
kind: Namespace
apiVersion: v1
metadata:
name: test
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: test-sa
namespace: test
---
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: test-deployment
namespace: test
spec:
replicas: 1
template:
metadata:
labels:
app: test-app
spec:
containers:
- name: test-container
image: gcr.io/google_containers/pause:1.0
$ kubectl apply -f test.yaml
namespace "test" configured
serviceaccount "test-sa" configured
deployment "test-deployment" created
- Modify the manifest to specify a
serviceAccountName:
serviceAccountName: test-sa
Applying again with kubectl will update the deployment and cause the running pod to be replaced, as expected.
- Modify the manifest again and remove the
serviceAccountName, apply again. The deployment is not updated:
$ kubectl -ntest describe deployment test-deployment | grep 'Service Account'
Service Account: test-sa
What you expected to happen:
I expected the deployment to be updated to use the default namespace Service Account again.
How to reproduce it (as minimally and precisely as possible):
See the steps above.
alkar
All 6 comments
Patch works well but the conversion mess it up.
What is happening is:
There are 2 service account fields. (serviceAccount, which is the alias of serviceAccountName, has been deprecated)
After specifying serviceAccountName: test-sa, do a Get:
$ kubectl get deployment test-deployment
...
serviceAccount: test-sa # <=== defaulted from serviceAccountName
serviceAccountName: test-sa
...
serviceAccount is defaulted from serviceAccountName, see: func Convert_api_PodSpec_To_v1_PodSpec.
After PATCH deleting serviceAccountName, it get restored by func Convert_v1_PodSpec_To_api_PodSpec. So you are seeing it still exists.
cc: @pwittrock
mengqiy
on 6 Jun 2017
@alkar An work around is explicitly set these 2 fields to null:
...
serviceAccount: null
serviceAccountName: null
...
Right, thanks for the detailed explanation & workaround.
Is this something that will eventually get resolved when serviceAccount gets removed?
alkar
on 8 Jun 2017
I think we will eventually removed this field. I filed an issue #47198 to ask when.
mengqiy
on 8 Jun 2017
There is a PR #44900 to remove it. It is targeted at the beginning of 1.8.
mengqiy
on 9 Jun 2017
Closing since this is not an issue with kubectl. Thanks for triaging @mengqiy
pwittrock
on 14 Jun 2017
Related issues
3dbrows
路
6Comments
asad-mahmood1
路
6Comments
ZhilinS
路
5Comments
AdamSharif-MSFT
路
3Comments
willbeason
路
4Comments