Service Account cannot be removed from PodSpec

[redeux]

Terraform Version, Provider Version and Kubernetes Version

Terraform version: 0.14.2
Kubernetes provider version: 2.0.0-rc (master)
Kubernetes version: 1.19.1

Affected Resource(s)

• Deployment
• DaemonSet
• StatefulSet
• Job
• CronJob
• Pod

Terraform Configuration Files

terraform {
  required_providers {
    kubernetes = {
      source  = "hashicorp/kubernetes"
      version = "2.0.0"
    }
  }
}

provider "kubernetes" {
  config_path = "~/.kube/config"
}

resource "kubernetes_deployment" "example" {
  metadata {
    name = "terraform-example"
    labels = {
      test = "MyExampleApp"
    }
  }

  spec {
    replicas = 1

    selector {
      match_labels = {
        test = "MyExampleApp"
      }
    }

    template {
      metadata {
        labels = {
          test = "MyExampleApp"
        }
      }

      spec {
        container {
          image = "nginx:1.7.8"
          name  = "example"
        }
      service_account_name = "default"
      }
    }
  }
}

Debug Output

Panic Output

Steps to Reproduce

1. terraform apply
2. comment out the service_account_name attribute, or change the value to ""
3. terraform plan

Expected Behavior

Plan: 0 to add, 1 to change, 0 to destroy.

Actual Behavior

No changes. Infrastructure is up-to-date.

This means that Terraform did not detect any differences between your
configuration and real physical resources that exist. As a result, no
actions need to be performed.

Important Factoids

References

• Unable to remove certain blocks from Terraform config #961

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[dak1n1]

I looked into this today because I almost filed the very same bug! 😄

TL;DR:

From a provider perspective, what we need to do is set ServiceAccountName to default when a user removes service_account_name from their configuration. This should make for a more intuitive workflow.

In the mean time, as a work-around, users can set service_account_name = "default" in their configs.

Long answer:

The reason for this is Kubernetes will automatically populate ServiceAccountName="default" if no ServiceAccount is specified. So this is functionally the same as having the field blank.

Here's what's happening on the Kubernetes side:

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server

I tested this using a basic pod:

$ cat pod.yaml 

apiVersion: "v1"
kind: "Pod"
metadata:
    name: "test"
    namespace: "default"
spec:
    containers:
    - command:
      - "sleep"
      - "3600s"
      image: "alpine:3.12.1"
      imagePullPolicy: "IfNotPresent"
      name: "default"

The pod had the ServiceAccountName field set, even though it wasn't specified in the yaml.

$ kubectl apply -f pod.yaml
pod/test created

$ kubectl get pod test -o json  |jq .spec.serviceAccountName
"default"

This is the case in pods with and without automountServiceAccountToken specified.

$ kube get pods test -o json  |jq .spec.automountServiceAccountToken
false

[github-actions]

Marking this issue as stale due to inactivity. If this issue receives no comments in the next 30 days it will automatically be closed. If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. This helps our maintainers find and focus on the active issues. Maintainers may also remove the stale label at their discretion. Thank you!

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.