put behind a feature gate

Author: atoulme

.chloggen/explicitlymounttokens.yaml

@@ -3,10 +3,13 @@ change_type: enhancement
 # The name of the component, or a single word describing the area of concern, (e.g. agent, clusterReceiver, gateway, operator, chart, other)
 component: all
 # A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
-note: Explicitly mount service tokens in specific tokens rather than enabling them at the service account level
+note: Offer an experimental feature gate to mount service tokens in specific tokens.
 # One or more tracking issues related to the change
 issues: [1421]
 # (Optional) One or more lines of additional information to render under the primary note.
 # These lines will be padded with 2 spaces and then inserted directly into the document.
 # Use pipe (|) for multiline entries.
-subtext:
+subtext: |
+  Kubernetes API access tokens are currently granted via mounting them on all containers of the cluster receiver,
+  gateway and daemonset. They are also enabled for the target allocator deployment.
+  This experimental change defines how to mount the service account token on specific containers.

examples/add-filter-processor/rendered_manifests/daemonset.yaml

@@ -38,7 +38,6 @@ spec:
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
       serviceAccountName: default-splunk-otel-collector
-      automountServiceAccountToken: false
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
@@ -220,28 +219,8 @@ spec:
         - mountPath: /usr/lib/splunk-otel-collector/agent-bundle/run/collectd
           name: run-collectd
           readOnly: false
-        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
-          name: serviceaccount-token
-          readOnly: true
       terminationGracePeriodSeconds: 600
       volumes:
-      - name: serviceaccount-token
-        projected:
-          defaultMode: 0444
-          sources:
-          - serviceAccountToken:
-              path: token
-          - configMap:
-              name: kube-root-ca.crt
-              items:
-              - key: ca.crt
-                path: ca.crt
-          - downwardAPI:
-              items:
-              - path: namespace
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: metadata.namespace
       - name: run-collectd
         emptyDir:
           sizeLimit: 25Mi

examples/add-filter-processor/rendered_manifests/deployment-cluster-receiver.yaml

@@ -34,7 +34,6 @@ spec:
         checksum/config: 4e343035a89a2b86f2f7841a81c3c485850742afe99e7c8c5d5069886a778ddc
     spec:
       serviceAccountName: default-splunk-otel-collector
-      automountServiceAccountToken: false
       nodeSelector:
           kubernetes.io/os: linux
       containers:
@@ -86,34 +85,13 @@ spec:
             cpu: 200m
             memory: 500Mi
         volumeMounts:
-        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
-          name: serviceaccount-token
-          readOnly: true
         - mountPath: /conf
           name: collector-configmap
         - mountPath: /usr/lib/splunk-otel-collector/agent-bundle/run/collectd
           name: run-collectd
           readOnly: false
       terminationGracePeriodSeconds: 600
       volumes:
-      - name: serviceaccount-token
-        projected:
-          defaultMode: 0444
-          sources:
-            - serviceAccountToken:
-                expirationSeconds: 3607
-                path: token
-            - configMap:
-                name: kube-root-ca.crt
-                items:
-                  - key: ca.crt
-                    path: ca.crt
-            - downwardAPI:
-                items:
-                  - path: namespace
-                    fieldRef:
-                      apiVersion: v1
-                      fieldPath: metadata.namespace
       - name: collector-configmap
         configMap:
           name: default-splunk-otel-collector-otel-k8s-cluster-receiver

examples/add-filter-processor/rendered_manifests/serviceAccount.yaml

@@ -2,7 +2,7 @@
 # Source: splunk-otel-collector/templates/serviceAccount.yaml
 apiVersion: v1
 kind: ServiceAccount
-automountServiceAccountToken: false
+automountServiceAccountToken: true
 metadata:
   name: default-splunk-otel-collector
   namespace: default

examples/add-kafkametrics-receiver/rendered_manifests/daemonset.yaml

@@ -38,7 +38,6 @@ spec:
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
       serviceAccountName: default-splunk-otel-collector
-      automountServiceAccountToken: false
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
@@ -220,28 +219,8 @@ spec:
         - mountPath: /usr/lib/splunk-otel-collector/agent-bundle/run/collectd
           name: run-collectd
           readOnly: false
-        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
-          name: serviceaccount-token
-          readOnly: true
       terminationGracePeriodSeconds: 600
       volumes:
-      - name: serviceaccount-token
-        projected:
-          defaultMode: 0444
-          sources:
-          - serviceAccountToken:
-              path: token
-          - configMap:
-              name: kube-root-ca.crt
-              items:
-              - key: ca.crt
-                path: ca.crt
-          - downwardAPI:
-              items:
-              - path: namespace
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: metadata.namespace
       - name: run-collectd
         emptyDir:
           sizeLimit: 25Mi

examples/add-kafkametrics-receiver/rendered_manifests/deployment-cluster-receiver.yaml

@@ -34,7 +34,6 @@ spec:
         checksum/config: 4e343035a89a2b86f2f7841a81c3c485850742afe99e7c8c5d5069886a778ddc
     spec:
       serviceAccountName: default-splunk-otel-collector
-      automountServiceAccountToken: false
       nodeSelector:
           kubernetes.io/os: linux
       containers:
@@ -86,34 +85,13 @@ spec:
             cpu: 200m
             memory: 500Mi
         volumeMounts:
-        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
-          name: serviceaccount-token
-          readOnly: true
         - mountPath: /conf
           name: collector-configmap
         - mountPath: /usr/lib/splunk-otel-collector/agent-bundle/run/collectd
           name: run-collectd
           readOnly: false
       terminationGracePeriodSeconds: 600
       volumes:
-      - name: serviceaccount-token
-        projected:
-          defaultMode: 0444
-          sources:
-            - serviceAccountToken:
-                expirationSeconds: 3607
-                path: token
-            - configMap:
-                name: kube-root-ca.crt
-                items:
-                  - key: ca.crt
-                    path: ca.crt
-            - downwardAPI:
-                items:
-                  - path: namespace
-                    fieldRef:
-                      apiVersion: v1
-                      fieldPath: metadata.namespace
       - name: collector-configmap
         configMap:
           name: default-splunk-otel-collector-otel-k8s-cluster-receiver

examples/add-kafkametrics-receiver/rendered_manifests/serviceAccount.yaml

@@ -2,7 +2,7 @@
 # Source: splunk-otel-collector/templates/serviceAccount.yaml
 apiVersion: v1
 kind: ServiceAccount
-automountServiceAccountToken: false
+automountServiceAccountToken: true
 metadata:
   name: default-splunk-otel-collector
   namespace: default

examples/add-receiver-creator/rendered_manifests/daemonset.yaml

@@ -38,7 +38,6 @@ spec:
       hostNetwork: true
       dnsPolicy: ClusterFirstWithHostNet
       serviceAccountName: default-splunk-otel-collector
-      automountServiceAccountToken: false
       nodeSelector:
         kubernetes.io/os: linux
       tolerations:
@@ -171,28 +170,8 @@ spec:
         - mountPath: /usr/lib/splunk-otel-collector/agent-bundle/run/collectd
           name: run-collectd
           readOnly: false
-        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
-          name: serviceaccount-token
-          readOnly: true
       terminationGracePeriodSeconds: 600
       volumes:
-      - name: serviceaccount-token
-        projected:
-          defaultMode: 0444
-          sources:
-          - serviceAccountToken:
-              path: token
-          - configMap:
-              name: kube-root-ca.crt
-              items:
-              - key: ca.crt
-                path: ca.crt
-          - downwardAPI:
-              items:
-              - path: namespace
-                fieldRef:
-                  apiVersion: v1
-                  fieldPath: metadata.namespace
       - name: run-collectd
         emptyDir:
           sizeLimit: 25Mi

examples/add-receiver-creator/rendered_manifests/deployment-cluster-receiver.yaml

@@ -34,7 +34,6 @@ spec:
         checksum/config: 4e343035a89a2b86f2f7841a81c3c485850742afe99e7c8c5d5069886a778ddc
     spec:
       serviceAccountName: default-splunk-otel-collector
-      automountServiceAccountToken: false
       nodeSelector:
           kubernetes.io/os: linux
       containers:
@@ -86,34 +85,13 @@ spec:
             cpu: 200m
             memory: 500Mi
         volumeMounts:
-        - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
-          name: serviceaccount-token
-          readOnly: true
         - mountPath: /conf
           name: collector-configmap
         - mountPath: /usr/lib/splunk-otel-collector/agent-bundle/run/collectd
           name: run-collectd
           readOnly: false
       terminationGracePeriodSeconds: 600
       volumes:
-      - name: serviceaccount-token
-        projected:
-          defaultMode: 0444
-          sources:
-            - serviceAccountToken:
-                expirationSeconds: 3607
-                path: token
-            - configMap:
-                name: kube-root-ca.crt
-                items:
-                  - key: ca.crt
-                    path: ca.crt
-            - downwardAPI:
-                items:
-                  - path: namespace
-                    fieldRef:
-                      apiVersion: v1
-                      fieldPath: metadata.namespace
       - name: collector-configmap
         configMap:
           name: default-splunk-otel-collector-otel-k8s-cluster-receiver

examples/add-receiver-creator/rendered_manifests/serviceAccount.yaml

@@ -2,7 +2,7 @@
 # Source: splunk-otel-collector/templates/serviceAccount.yaml
 apiVersion: v1
 kind: ServiceAccount
-automountServiceAccountToken: false
+automountServiceAccountToken: true
 metadata:
   name: default-splunk-otel-collector
   namespace: default