SDK Service Account was Hardcoded

The value of agones.serviceaccount.sdk was not propagated down to the creation of the GameServer Pod, so there actually was no way to edit the service account information without Agones breaking. This is now fixed!

Author: markmandel

cmd/controller/main.go

@@ -59,6 +59,7 @@ const (
 sidecarImageFlag="sidecar-image"
 sidecarCPURequestFlag="sidecar-cpu-request"
 sidecarCPULimitFlag="sidecar-cpu-limit"
+sdkServerAccountFlag="sdk-service-account"
 pullSidecarFlag="always-pull-sidecar"
 minPortFlag="min-port"
 maxPortFlag="max-port"
@@ -188,7 +189,7 @@ func main(){
 
 gsController:=gameservers.NewController(wh, health,
 ctlConf.MinPort, ctlConf.MaxPort, ctlConf.SidecarImage, ctlConf.AlwaysPullSidecar,
-ctlConf.SidecarCPURequest, ctlConf.SidecarCPULimit,
+ctlConf.SidecarCPURequest, ctlConf.SidecarCPULimit,ctlConf.SdkServiceAccount,
 kubeClient, kubeInformerFactory, extClient, agonesClient, agonesInformerFactory)
 gsSetController:=gameserversets.NewController(wh, health, gsCounter,
 kubeClient, extClient, agonesClient, agonesInformerFactory)
@@ -231,6 +232,7 @@ func parseEnvFlags() config{
 viper.SetDefault(sidecarCPURequestFlag, "0")
 viper.SetDefault(sidecarCPULimitFlag, "0")
 viper.SetDefault(pullSidecarFlag, false)
+viper.SetDefault(sdkServerAccountFlag, "agones-sdk")
 viper.SetDefault(certFileFlag, filepath.Join(base, "certs/server.crt"))
 viper.SetDefault(keyFileFlag, filepath.Join(base, "certs/server.key"))
 viper.SetDefault(enablePrometheusMetricsFlag, true)
@@ -246,6 +248,7 @@ func parseEnvFlags() config{
 pflag.String(sidecarCPULimitFlag, viper.GetString(sidecarCPULimitFlag), "Flag to overwrite the GameServer sidecar container's cpu limit. Can also use SIDECAR_CPU_LIMIT env variable")
 pflag.String(sidecarCPURequestFlag, viper.GetString(sidecarCPURequestFlag), "Flag to overwrite the GameServer sidecar container's cpu request. Can also use SIDECAR_CPU_REQUEST env variable")
 pflag.Bool(pullSidecarFlag, viper.GetBool(pullSidecarFlag), "For development purposes, set the sidecar image to have a ImagePullPolicy of Always. Can also use ALWAYS_PULL_SIDECAR env variable")
+pflag.String(sdkServerAccountFlag, viper.GetString(sdkServerAccountFlag), "Overwrite what service account default for GameServer Pods. Defaults to Can also use SDK_SERVICE_ACCOUNT")
 pflag.Int32(minPortFlag, 0, "Required. The minimum port that that a GameServer can be allocated to. Can also use MIN_PORT env variable.")
 pflag.Int32(maxPortFlag, 0, "Required. The maximum port that that a GameServer can be allocated to. Can also use MAX_PORT env variable")
 pflag.String(keyFileFlag, viper.GetString(keyFileFlag), "Optional. Path to the key file")
@@ -266,6 +269,7 @@ func parseEnvFlags() config{
 runtime.Must(viper.BindEnv(sidecarCPULimitFlag))
 runtime.Must(viper.BindEnv(sidecarCPURequestFlag))
 runtime.Must(viper.BindEnv(pullSidecarFlag))
+runtime.Must(viper.BindEnv(sdkServerAccountFlag))
 runtime.Must(viper.BindEnv(minPortFlag))
 runtime.Must(viper.BindEnv(maxPortFlag))
 runtime.Must(viper.BindEnv(keyFileFlag))
@@ -297,6 +301,7 @@ func parseEnvFlags() config{
 SidecarImage: viper.GetString(sidecarImageFlag),
 SidecarCPURequest: request,
 SidecarCPULimit: limit,
+SdkServiceAccount: viper.GetString(sdkServerAccountFlag),
 AlwaysPullSidecar: viper.GetBool(pullSidecarFlag),
 KeyFile: viper.GetString(keyFileFlag),
 CertFile: viper.GetString(certFileFlag),
@@ -319,6 +324,7 @@ type config struct{
 SidecarImagestring
 SidecarCPURequest resource.Quantity
 SidecarCPULimit resource.Quantity
+SdkServiceAccountstring
 AlwaysPullSidecarbool
 PrometheusMetricsbool
 Stackdriverbool

install/helm/agones/templates/controller.yaml

@@ -84,6 +84,8 @@ spec:
 value: {{.Values.agones.image.sdk.alwaysPull | quote }}
  - name: SIDECAR_CPU_REQUEST
 value: {{.Values.agones.image.sdk.cpuRequest | quote }}
+ - name: SDK_SERVICE_ACCOUNT
+value: {{.Values.agones.serviceaccount.sdk | quote }}
  - name: PROMETHEUS_EXPORTER
 value: {{.Values.agones.metrics.prometheusEnabled | quote }}
  - name: STACKDRIVER_EXPORTER

install/yaml/install.yaml

@@ -1139,6 +1139,8 @@ spec:
 value: "false"
  - name: SIDECAR_CPU_REQUEST
 value: "30m"
+ - name: SDK_SERVICE_ACCOUNT
+value: "agones-sdk"
  - name: PROMETHEUS_EXPORTER
 value: "true"
  - name: STACKDRIVER_EXPORTER

pkg/apis/stable/v1alpha1/gameserver.go

@@ -76,8 +76,6 @@ const (
 // GameServerContainerAnnotation is the annotation that stores
 // which container is the container that runs the dedicated game server
 GameServerContainerAnnotation=stable.GroupName+"/container"
-// SidecarServiceAccountName is the default service account for managing access to get/update GameServers
-SidecarServiceAccountName="agones-sdk"
 // DevAddressAnnotation is an annotation to indicate that a GameServer hosted outside of Agones.
 // A locally hosted GameServer is not managed by Agones it is just simply registered.
 DevAddressAnnotation="stable.agones.dev/dev-address"

pkg/apis/stable/v1alpha1/gameserver_test.go

@@ -322,7 +322,6 @@ func TestGameServerPod(t *testing.T){
 assert.Equal(t, "gameserver", pod.ObjectMeta.Labels[stable.GroupName+"/role"])
 assert.Equal(t, fixture.ObjectMeta.Name, pod.ObjectMeta.Labels[GameServerPodLabel])
 assert.Equal(t, fixture.Spec.Container, pod.ObjectMeta.Annotations[GameServerContainerAnnotation])
-assert.Equal(t, "agones-sdk", pod.Spec.ServiceAccountName)
 assert.True(t, metav1.IsControlledBy(pod, fixture))
 assert.Equal(t, fixture.Spec.Ports[0].HostPort, pod.Spec.Containers[0].Ports[0].HostPort)
 assert.Equal(t, fixture.Spec.Ports[0].ContainerPort, pod.Spec.Containers[0].Ports[0].ContainerPort)

pkg/gameservers/controller.go

@@ -65,6 +65,7 @@ type Controller struct{
 alwaysPullSidecarImagebool
 sidecarCPURequest resource.Quantity
 sidecarCPULimit resource.Quantity
+sdkServiceAccountstring
 crdGetter v1beta1.CustomResourceDefinitionInterface
 podGetter typedcorev1.PodsGetter
 podLister corelisterv1.PodLister
@@ -92,6 +93,7 @@ func NewController(
 alwaysPullSidecarImagebool,
 sidecarCPURequest resource.Quantity,
 sidecarCPULimit resource.Quantity,
+sdkServiceAccountstring,
 kubeClient kubernetes.Interface,
 kubeInformerFactory informers.SharedInformerFactory,
 extClient extclientset.Interface,
@@ -107,6 +109,7 @@ func NewController(
 sidecarCPULimit: sidecarCPULimit,
 sidecarCPURequest: sidecarCPURequest,
 alwaysPullSidecarImage: alwaysPullSidecarImage,
+sdkServiceAccount: sdkServiceAccount,
 crdGetter: extClient.ApiextensionsV1beta1().CustomResourceDefinitions(),
 podGetter: kubeClient.CoreV1(),
 podLister: pods.Lister(),
@@ -525,6 +528,11 @@ func (c *Controller) createGameServerPod(gs *v1alpha1.GameServer) (*v1alpha1.Gam
 returngs, err
  }
 
+// apply the sdk service account
+ifpod.Spec.ServiceAccountName==""{
+pod.Spec.ServiceAccountName=c.sdkServiceAccount
+ }
+
 c.addGameServerHealthCheck(gs, pod)
 
 c.loggerForGameServer(gs).WithField("pod", pod).Info("creating Pod for GameServer")

pkg/gameservers/controller_test.go

@@ -776,6 +776,7 @@ func TestControllerCreateGameServerPod(t *testing.T){
 
 assert.Equal(t, fixture.ObjectMeta.Name, pod.ObjectMeta.Name)
 assert.Equal(t, fixture.ObjectMeta.Namespace, pod.ObjectMeta.Namespace)
+assert.Equal(t, "sdk-service-account", pod.Spec.ServiceAccountName)
 assert.Equal(t, "gameserver", pod.ObjectMeta.Labels[stable.GroupName+"/role"])
 assert.Equal(t, fixture.ObjectMeta.Name, pod.ObjectMeta.Labels[v1alpha1.GameServerPodLabel])
 assert.True(t, metav1.IsControlledBy(pod, fixture))
@@ -1189,7 +1190,8 @@ func newFakeController() (*Controller, agtesting.Mocks){
 wh:=webhooks.NewWebHook(http.NewServeMux())
 c:=NewController(wh, healthcheck.NewHandler(),
 10, 20, "sidecar:dev", false,
-resource.MustParse("0.05"), resource.MustParse("0.1"), m.KubeClient, m.KubeInformerFactory, m.ExtClient, m.AgonesClient, m.AgonesInformerFactory)
+resource.MustParse("0.05"), resource.MustParse("0.1"), "sdk-service-account",
+m.KubeClient, m.KubeInformerFactory, m.ExtClient, m.AgonesClient, m.AgonesInformerFactory)
 c.recorder=m.FakeRecorder
 returnc, m
 }