Cluster image scanning does not work with non-default namespace or service account
Why are we doing this work
With the completion of gitlab-org/cluster-integration/gitlab-agent!630 (merged), the GitLab agent is now able to run vulnerability scans. Currently, it is hard-coded to run the jobs within the gitlab-agent
namespace, using the gitlab-agent
service account. This namespace and service account are created when using the default installation method, but it is possible for the user to customize it and choose different namespaces and service accounts. We need to fix this so that it still works when these configurations are changed.
Relevant links
Another tricky behavior was noticed after first writing this issue (emphasis mine - copied from #350232 (comment 992999651)):
When verifying, I first encountered this error:
{"level":"error","time":"2022-06-15T17:02:00.902Z","msg":"Failed to perform vulnerability scan on workload","mod_name":"starboard_vulnerability","error":"getting service account by name: gitlab-agent/gitlab-agent: serviceaccounts \"gitlab-agent\" not found"}
It appears that the default service account name is no longer
gitlab-agent
. Instead, it is[agent name]-gitlab-agent
(code). To workaround this, you can either dokubectl create serviceaccount gitlab-agent -n gitlab-agent
, or pass--set serviceAccount.name=gitlab-agent
to the helm command when installing the agent. @thiagocsf This may be good reason to prioritize #361972 (closed), as the vulnerability scanning no longer works out of the box.
Non-functional requirements
-
Documentation: -
Adjust or remove as needed !90520 (merged)
-
-
Feature flag: -
Performance: -
Testing:
Implementation Plan
- Chart: We can already read the namespace the agent pods run in from the
POD_NAMESPACE
environment variable. To determine the service account likewise, we need to add aSERVICE_ACCOUNT_NAME
env var to deployment.yaml:
diff --git a/templates/deployment.yaml b/templates/deployment.yaml
@@ -61,6 +61,10 @@ spec:
valueFrom:
fieldRef:
fieldPath: metadata.name
+ - name: SERVICE_ACCOUNT_NAME
+ valueFrom:
+ fieldRef:
+ fieldPath: spec.serviceAccountName
{{- if .Values.extraEnv }}
{{- toYaml .Values.extraEnv | nindent 12 }}
{{- end }}
-
Agent: In our agent's factory.go, we need to read these variables instead of hardcoding namespace and service account name. If
SERVICE_ACCOUNT_NAME
is unset, we fall back to the currentgitlab-agent
value. -
documentation: Remove workaround from agent troubleshooting docs (revert !90520 (merged))