fix: for bounded service account token

Signed-off-by: michaellee8 <ckmichael8@gmail.com>
planetscale · Aug 12, 2022 · 1af5268 · 1af5268
1 parent aa8a0ce
commit 1af5268
Showing 1 changed file with 10 additions and 0 deletions.
diff --git a/pkg/controller/vitessbackupstorage/reconcile_subcontroller.go b/pkg/controller/vitessbackupstorage/reconcile_subcontroller.go
@@ -136,6 +136,11 @@ func (r *ReconcileVitessBackupStorage) newSubcontrollerPodSpec(ctx context.Conte
 		if strings.HasPrefix(volume.Name, tokenNamePrefix) {
 			continue
 		}
+		// also skip volumes mounted by k8s v1.21+ BoundedServiceAccountToken
+		// https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-bound-service-account-tokens
+		if strings.HasPrefix(volume.Name, "kube-api-access-") {
+			continue
+		}
 		newVolumes = append(newVolumes, volume)
 	}
 	spec.Volumes = newVolumes
@@ -149,6 +154,11 @@ func (r *ReconcileVitessBackupStorage) newSubcontrollerPodSpec(ctx context.Conte
 			if strings.HasPrefix(mount.Name, tokenNamePrefix) {
 				continue
 			}
+			// also skip volumes mounted by k8s v1.21+ BoundedServiceAccountToken
+			// https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-bound-service-account-tokens
+			if strings.HasPrefix(mount.Name, "kube-api-access-") {
+				continue
+			}
 			newMounts = append(newMounts, mount)
 		}