Separate calico-node and calico-cni-plugin service accounts

charts/calico/templates/calico-node-rbac.yaml

@@ -17,14 +17,6 @@ rules:
 {{- end }}
     verbs:
       - create
-  # The CNI plugin needs to get pods, nodes, and namespaces.
-  - apiGroups: [""]
-    resources:
-      - pods
-      - nodes
-      - namespaces
-    verbs:
-      - get
   # EndpointSlices are used for Service-based network policy rule
   # enforcement.
   - apiGroups: ["discovery.k8s.io"]
@@ -76,13 +68,6 @@ rules:
     verbs:
       - list
       - watch
-  # The CNI plugin patches pods/status.
-  - apiGroups: [""]
-    resources:
-      - pods/status
-    verbs:
-      - patch
-  # Calico monitors various CRDs for config.
   - apiGroups: ["crd.projectcalico.org"]
     resources:
       - globalfelixconfigs
@@ -138,26 +123,6 @@ rules:
       - create
       - update
 {{- if eq .Values.network "calico" }}
-  # These permissions are required for Calico CNI to perform IPAM allocations.
-  - apiGroups: ["crd.projectcalico.org"]
-    resources:
-      - blockaffinities
-      - ipamblocks
-      - ipamhandles
-    verbs:
-      - get
-      - list
-      - create
-      - update
-      - delete
-  # The CNI plugin and calico/node need to be able to create a default
-  # IPAMConfiguration
-  - apiGroups: ["crd.projectcalico.org"]
-    resources:
-      - ipamconfigs
-    verbs:
-      - get
-      - create
   # Block affinities must also be watchable by confd for route aggregation.
   - apiGroups: ["crd.projectcalico.org"]
     resources:
@@ -176,6 +141,61 @@ rules:
 
 ---
 
+metadata:
+  name: calico-cni-plugin
+rules:
+  # Used for creating service account tokens to be used by the CNI plugin
+  - apiGroups: [""]
+    resources:
+      - serviceaccounts/token
+    resourceNames:
+  {{- if eq .Values.network "flannel" }}
+- canal-cni
+  {{- else }}
+- calico-cni-plugin
+  {{- end }}
+verbs:
+  - create
+# The CNI plugin needs to get pods, nodes, and namespaces.
+- apiGroups: [""]
+  resources:
+    - pods
+    - nodes
+    - namespaces
+  verbs:
+    - get
+  {{- if eq .Values.datastore "kubernetes" }}
+- apiGroups: [""]
+  resources:
+    - pods/status
+  verbs:
+    - patch
+  {{- if eq .Values.network "calico" }}
+# These permissions are required for Calico CNI to perform IPAM allocations.
+- apiGroups: ["crd.projectcalico.org"]
+  resources:
+    - blockaffinities
+    - ipamblocks
+    - ipamhandles
+  verbs:
+    - get
+    - list
+    - create
+    - update
+    - delete
+# The CNI plugin and calico/node need to be able to create a default
+# IPAMConfiguration
+- apiGroups: ["crd.projectcalico.org"]
+  resources:
+    - ipamconfigs
+  verbs:
+    - get
+    - create
+  {{- end }}
+  {{- end }}
+
+---
+
 {{- if eq .Values.network "flannel" }}
 # Flannel ClusterRole
 # Pulled from https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel-rbac.yml
@@ -227,6 +247,19 @@ subjects:
 - kind: ServiceAccount
   name: canal
   namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: canal-calico-cni
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-cni-plugin
+subjects:
+  - kind: ServiceAccount
+    name: canal-cni-plugin
+    namespace: kube-system
 {{- else }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -240,4 +273,17 @@ subjects:
 - kind: ServiceAccount
   name: calico-node
   namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-cni-plugin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-cni-plugin
+subjects:
+  - kind: ServiceAccount
+    name: calico-cni-plugin
+    namespace: kube-system
 {{- end }}

node/pkg/cni/token_watch.go

@@ -22,7 +22,8 @@ import (
 )
 
 const (
-	defaultServiceAccountName      = "calico-node"
+	defaultNodeAccountName         = "calico-node"
+	defaultCNIPluginAccountName    = "calico-cni-plugin"
 	serviceAccountNamespace        = "/var/run/secrets/kubernetes.io/serviceaccount/namespace"
 	tokenFile                      = "/var/run/secrets/kubernetes.io/serviceaccount/token"
 	defaultCNITokenValiditySeconds = 24 * 60 * 60
@@ -217,7 +218,7 @@ func Run() {
 	if err != nil {
 		logrus.WithError(err).Fatal("Failed to create in cluster client set")
 	}
-	tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), CNIServiceAccountName())
+	tr := NewTokenRefresher(clientset, NamespaceOfUsedServiceAccount(), NodeServiceAccountName())
 	tokenChan := tr.TokenChan()
 	go tr.Run()
 
@@ -244,7 +245,15 @@ func CNIServiceAccountName() string {
 		logrus.WithField("name", sa).Debug("Using service account from CALICO_CNI_SERVICE_ACCOUNT")
 		return sa
 	}
-	return defaultServiceAccountName
+	return defaultCNIPluginAccountName
+}
+
+func NodeServiceAccountName() string {
+	if na := os.Getenv("CALICO_NODE_SERVICE_ACCOUNT"); na != "" {
+		logrus.WithField("name", na).Debug("Using service account from CALICO_NODE_SERVICE_ACCOUNT")
+		return na
+	}
+	return defaultNodeAccountName
 }
 
 // writeKubeconfig writes an updated kubeconfig file to disk that the CNI plugin can use to access the Kubernetes API.

node/tests/k8st/infra/calico-kdd.yaml

@@ -29,6 +29,13 @@ metadata:
   name: calico-node
   namespace: kube-system
 ---
+# Source: calico/templates/calico-node.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-cni-plugin
+  namespace: kube-system
+---
 # Source: calico/templates/calico-config.yaml
 # This ConfigMap is used to configure a self-hosted Calico installation.
 kind: ConfigMap