e38efdcce6
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. refuse serviceaccount projection volume request when pod has no servceaccount bounded **What this PR does / why we need it**: Currently, if user starts a cluster with ServiceAccount admission plugin disabled, then creates a Pod like this: ``` kind: Pod apiVersion: v1 metadata: labels: run: nginx name: busybox2 spec: containers: - image: gcr.io/google-containers/nginx name: nginx volumeMounts: - mountPath: /var/run/secrets/tokens name: token - image: ubuntu name: ttt volumeMounts: - mountPath: /var/run/secrets/tokens name: token command: [ "/bin/bash", "-c", "--" ] args: [ "while true; do sleep 30; done;" ] volumes: - name: token projected: sources: - serviceAccountToken: path: tokenPath expirationSeconds: 6000 audience: gakki-audiences ``` The pod creation will fail with error info like: Events: ``` Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 23s default-scheduler Successfully assigned office/busybox2 to 127.0.0.1 Warning FailedMount 8s (x6 over 23s) kubelet, 127.0.0.1 MountVolume.SetUp failed for volume "token" : failed to fetch token: resource name may not be empty ``` We should refuse the projection request earlier. This patch fix this. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ``` |
||
|---|---|---|
| .. | ||
| BUILD | ||
| doc.go | ||
| events_test.go | ||
| events.go | ||
| OWNERS | ||
| validation_test.go | ||
| validation.go | ||