Merge pull request #66698 from WanLinghao/token_projected_improve

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. refuse serviceaccount projection volume request when pod has no servceaccount bounded **What this PR does / why we need it**: Currently, if user starts a cluster with ServiceAccount admission plugin disabled, then creates a Pod like this: ``` kind: Pod apiVersion: v1 metadata: labels: run: nginx name: busybox2 spec: containers: - image: gcr.io/google-containers/nginx name: nginx volumeMounts: - mountPath: /var/run/secrets/tokens name: token - image: ubuntu name: ttt volumeMounts: - mountPath: /var/run/secrets/tokens name: token command: [ "/bin/bash", "-c", "--" ] args: [ "while true; do sleep 30; done;" ] volumes: - name: token projected: sources: - serviceAccountToken: path: tokenPath expirationSeconds: 6000 audience: gakki-audiences ``` The pod creation will fail with error info like: Events: ``` Type Reason Age From Message ---- ------ ---- ---- ------- Normal Scheduled 23s default-scheduler Successfully assigned office/busybox2 to 127.0.0.1 Warning FailedMount 8s (x6 over 23s) kubelet, 127.0.0.1 MountVolume.SetUp failed for volume "token" : failed to fetch token: resource name may not be empty ``` We should refuse the projection request earlier. This patch fix this. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
2025-07-22 19:31:44 +00:00 · 2018-08-08 07:46:17 -07:00 · 2018-08-08 07:46:17 -07:00 · e38efdcce6
commit e38efdcce6
parent 28d649c2f5 5a27ee9282
2 changed files with 43 additions and 0 deletions
--- a/pkg/apis/core/validation/validation.go
+++ b/pkg/apis/core/validation/validation.go
@ -2913,6 +2913,20 @@ func ValidatePod(pod *core.Pod) field.ErrorList {
 	// this was done to preserve backwards compatibility
 	specPath := field.NewPath("spec")

+	if pod.Spec.ServiceAccountName == "" {
+		for vi, volume := range pod.Spec.Volumes {
+			path := specPath.Child("volumes").Index(vi).Child("projected")
+			if volume.Projected != nil {
+				for si, source := range volume.Projected.Sources {
+					saPath := path.Child("sources").Index(si).Child("serviceAccountToken")
+					if source.ServiceAccountToken != nil {
+						allErrs = append(allErrs, field.Forbidden(saPath, "must not be specified when serviceAccountName is not set"))
+					}
+				}
+			}
+		}
+	}
+
 	allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.Containers, specPath.Child("containers"))...)
 	allErrs = append(allErrs, validateContainersOnlyForPod(pod.Spec.InitContainers, specPath.Child("initContainers"))...)

--- a/pkg/apis/core/validation/validation_test.go
+++ b/pkg/apis/core/validation/validation_test.go
@ -7670,6 +7670,35 @@ func TestValidatePod(t *testing.T) {
 				},
 			},
 		},
+		"serviceaccount token projected volume with no serviceaccount name specified": {
+			expectedError: "must not be specified when serviceAccountName is not set",
+			spec: core.Pod{
+				ObjectMeta: metav1.ObjectMeta{Name: "123", Namespace: "ns"},
+				Spec: core.PodSpec{
+					Containers:    []core.Container{{Name: "ctr", Image: "image", ImagePullPolicy: "IfNotPresent", TerminationMessagePolicy: "File"}},
+					RestartPolicy: core.RestartPolicyAlways,
+					DNSPolicy:     core.DNSClusterFirst,
+					Volumes: []core.Volume{
+						{
+							Name: "projected-volume",
+							VolumeSource: core.VolumeSource{
+								Projected: &core.ProjectedVolumeSource{
+									Sources: []core.VolumeProjection{
+										{
+											ServiceAccountToken: &core.ServiceAccountTokenProjection{
+												Audience:          "foo-audience",
+												ExpirationSeconds: 6000,
+												Path:              "foo-path",
+											},
+										},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 	for k, v := range errorCases {
 		if errs := ValidatePod(&v.spec); len(errs) == 0 {