FederatedServiceAccount Resource Do Not Get Synced When Spec is Undefined

[danehans]

A ServiceAccount resource is typically created without a spec field. Here is an example from Kubernetes documentation

kubectl create -f - <<EOF
apiVersion: v1
kind: ServiceAccount
metadata:
  name: build-robot
EOF
serviceaccount/build-robot created

When creating a FederatedServiceAccount resource without spec defined, the ServiceAccount resource does not get created in target clusters.

When creating a FederatedServiceAccount with spec defined, the ServiceAccount resource does get created in target clusters. For example:

apiVersion: core.federation.k8s.io/v1alpha1
kind: FederatedServiceAccount
metadata:
  name: foo
  namespace: bar
spec:
  template:
    automountServiceAccountToken: true

[gyliu513]

@danehans this is because the sync controller has some logic to check spec, if the spec does not exist, sync controller will report error and the federation resource creation will be failed.

For more detail, please check code https://github.com/kubernetes-sigs/federation-v2/blob/v0.0.2/pkg/controller/sync/controller.go#L695

Also if you describe the federatedserviceaccounts without spec, you will see the error of Unable to retrieve template body.

root@gyliu-dev1:~/go/src/github.com/kubernetes-sigs/federation-v2# kubectl describe federatedserviceaccounts -n test-namespace
Name:         test-serviceaccount
Namespace:    test-namespace
Labels:       <none>
Annotations:  kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"core.federation.k8s.io/v1alpha1","kind":"FederatedServiceAccount","metadata":{"annotations":{},"name":"test-serviceaccount","namespace":...
API Version:  core.federation.k8s.io/v1alpha1
Kind:         FederatedServiceAccount
Metadata:
  Creation Timestamp:  2018-10-23T07:35:58Z
  Finalizers:
    federation.kubernetes.io/delete-from-underlying-clusters
    orphan
  Generation:        1
  Resource Version:  4617663
  Self Link:         /apis/core.federation.k8s.io/v1alpha1/namespaces/test-namespace/federatedserviceaccounts/test-serviceaccount
  UID:               48c625c0-d696-11e8-8214-00163e01fa8a
Events:
  Type     Reason                     Age                From                                Message
  ----     ------                     ----               ----                                -------
  Warning  FedClusterOperationsError  11s (x4 over 46s)  federatedserviceaccount-controller  Error obtaining sync operations for FederatedServiceAccount: test-namespace/test-serviceaccount error: Unable to retrieve template body

@marun shall we remove the checking for the body spec when creating federated resources?

[marun]

The check for the template field is intended to provide a clear signal that a template isn't formed correctly, since most resources will have a body. At least for now, I'd rather see templates for types that are not expected to have a body include an empty template rather than remove this safeguard for the majority of types.

apiVersion: core.federation.k8s.io/v1alpha1
kind: FederatedServiceAccount
metadata:
  name: foo
  namespace: bar
spec:
  template:
    # It shouldn't be necessary for the template to include any fields.

[gyliu513]

Thanks @marun , so for this issue, seems we can close it? As the federated resource event already tell us enough error message.

@danehans what do you think? Thanks.

[danehans]

I think it should be documented somewhere before closing. I'm confident others will run into the same issue.

[freegroup]

seems to be related #1079