From 1af526806216d762831137f2391b654805469766 Mon Sep 17 00:00:00 2001
From: michaellee8 <ckmichael8@gmail.com>
Date: Fri, 12 Aug 2022 11:14:29 +0800
Subject: [PATCH] fix: for bounded service account token

Signed-off-by: michaellee8 <ckmichael8@gmail.com>
---
 .../vitessbackupstorage/reconcile_subcontroller.go     | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/pkg/controller/vitessbackupstorage/reconcile_subcontroller.go b/pkg/controller/vitessbackupstorage/reconcile_subcontroller.go
index 1cfa8695..88cd06e6 100644
--- a/pkg/controller/vitessbackupstorage/reconcile_subcontroller.go
+++ b/pkg/controller/vitessbackupstorage/reconcile_subcontroller.go
@@ -136,6 +136,11 @@ func (r *ReconcileVitessBackupStorage) newSubcontrollerPodSpec(ctx context.Conte
 		if strings.HasPrefix(volume.Name, tokenNamePrefix) {
 			continue
 		}
+		// also skip volumes mounted by k8s v1.21+ BoundedServiceAccountToken
+		// https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-bound-service-account-tokens
+		if strings.HasPrefix(volume.Name, "kube-api-access-") {
+			continue
+		}
 		newVolumes = append(newVolumes, volume)
 	}
 	spec.Volumes = newVolumes
@@ -149,6 +154,11 @@ func (r *ReconcileVitessBackupStorage) newSubcontrollerPodSpec(ctx context.Conte
 			if strings.HasPrefix(mount.Name, tokenNamePrefix) {
 				continue
 			}
+			// also skip volumes mounted by k8s v1.21+ BoundedServiceAccountToken
+			// https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-bound-service-account-tokens
+			if strings.HasPrefix(mount.Name, "kube-api-access-") {
+				continue
+			}
 			newMounts = append(newMounts, mount)
 		}