chore: Allow to set automountServiceAccountToken in ServiceAccount

https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes > The LegacyServiceAccountTokenNoAutoGeneration feature gate is beta, and enabled by default. When enabled, Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount. Use the [TokenRequest](https://kubernetes.io/docs/reference/kubernetes-api/authentication-resources/token-request-v1/) API to acquire service account tokens, or if a non-expiring token is required, create a Secret API object for the token controller to populate with a service account token by following this [guide](https://kubernetes.io/docs/concepts/configuration/secret/#service-account-token-secrets). (kubernetes/kubernetes#108309, [@zshihang](https://github.com/zshihang)) Since k8s 1.24, TOKEN is not mounted automatically. If you want to access with IRSA, you need to use a token. Signed-off-by: kahirokunn <[email protected]>
kubernetes-sigs · Jun 15, 2023 · aea7ec2 · aea7ec2
1 parent 31c6df4
commit aea7ec2
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 0 deletions.
diff --git a/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml b/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-controller.yaml
@@ -15,4 +15,7 @@ metadata:
   #annotations:
   #  eks.amazonaws.com/role-arn: arn:<partition>:iam::<account>:role/ebs-csi-role
   {{- end }}
+{{- if .Values.controller.serviceAccount.automountServiceAccountToken }}
+automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }}
+{{- end }}
 {{- end -}}
diff --git a/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml b/charts/aws-ebs-csi-driver/templates/serviceaccount-csi-node.yaml
@@ -10,4 +10,7 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+{{- if .Values.node.serviceAccount.automountServiceAccountToken }}
+automountServiceAccountToken: {{ .Values.node.serviceAccount.automountServiceAccountToken }}
+{{- end }}
 {{- end -}}
diff --git a/charts/aws-ebs-csi-driver/values.yaml b/charts/aws-ebs-csi-driver/values.yaml
@@ -227,6 +227,7 @@ controller:
     create: true
     name: ebs-csi-controller-sa
     annotations: {}
+    automountServiceAccountToken: false
   tolerations:
     - key: CriticalAddonsOnly
       operator: Exists
@@ -300,6 +301,7 @@ node:
     create: true
     name: ebs-csi-node-sa
     annotations: {}
+    automountServiceAccountToken: false
   enableWindows: false
   # The "maximum number of attachable volumes" per node
   volumeAttachLimit: