install/0000_00_cluster-version-operator_03_deployment: Explicit kube…

…-api-access This content is injected by an admission webhook [1,2]. When we started removing not-in-manifest volumes in 83faa6e (lib/resourcemerge/core: Remove unrecognized volumes and mounts, 2021-09-14, #654), the cluster-version operator started removing the webhook-injected volume, leading to the cluster-version operator crash-looping on updates from 4.8 to 4.9 with messages like [3]: F0920 13:23:23.565439 1 start.go:24] error: error creating clients: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable With this commit, we follow the precedent of the Kubernetes API server's own manifest [4,5]. [1]: https://github.com/kubernetes/kubernetes/blob/2f68346fbb6246961ce0a3176418630950aea500/plugin/pkg/admission/serviceaccount/admission.go#L53-L54 [2]: https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#bound-service-account-token-volume [3]: https://bugzilla.redhat.com/show_bug.cgi?id=2005581 [4]: openshift/cluster-kube-apiserver-operator#1142 [5]: https://bugzilla.redhat.com/show_bug.cgi?id=1946479
openshift · openshift-merge-robot · Sep 21, 2021 · Sep 20, 2021 · Sep 21, 2021 · 97289cc3ebecd79d0442d156c32d8fac192b29b1
commit 97289cc3ebecd79d0442d156c32d8fac192b29b1
diff --git a/install/0000_00_cluster-version-operator_03_deployment.yaml b/install/0000_00_cluster-version-operator_03_deployment.yaml
@@ -20,6 +20,7 @@ spec:
       labels:
         k8s-app: cluster-version-operator
     spec:
+      automountServiceAccountToken: false
       containers:
       - name: cluster-version-operator
         image: {{.ReleaseImage}}
@@ -48,6 +49,9 @@ spec:
           - mountPath: /etc/tls/serving-cert
             name: serving-cert
             readOnly: true
+          - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+            name: kube-api-access
+            readOnly: true
         env:
           - name: KUBERNETES_SERVICE_PORT # allows CVO to communicate with apiserver directly on same host.  Is substituted with port from infrastructures.status.apiServerInternalURL if available.
             value: "6443"
@@ -92,3 +96,21 @@ spec:
         - name: serving-cert
           secret:
             secretName: cluster-version-operator-serving-cert
+        - name: kube-api-access
+          projected:
+            defaultMode: 420
+            sources:
+            - serviceAccountToken:
+                expirationSeconds: 3600
+                path: token
+            - configMap:
+                items:
+                - key: ca.crt
+                  path: ca.crt
+                name: kube-root-ca.crt
+            - downwardAPI:
+                items:
+                - fieldRef:
+                    apiVersion: v1
+                    fieldPath: metadata.namespace
+                  path: namespace