Uupdate worker pod configuration: Introduce service account and automount options in env.ts, kubernetes.ts, and helm templates for improved Kubernetes integration.

Author: ConProgramming

apps/supervisor/src/env.ts

@@ -73,6 +73,8 @@ const Env = z.object({
   KUBERNETES_FORCE_ENABLED: BoolEnv.default(false),
   KUBERNETES_NAMESPACE: z.string().default("default"),
   KUBERNETES_WORKER_NODETYPE_LABEL: z.string().default("v4-worker"),
+  KUBERNETES_WORKER_SERVICE_ACCOUNT: z.string().optional(), // Service account for worker pods
+  KUBERNETES_WORKER_AUTOMOUNT_SERVICE_ACCOUNT_TOKEN: BoolEnv.default(false), // Whether to mount SA token
   KUBERNETES_IMAGE_PULL_SECRETS: z.string().optional(), // csv
   KUBERNETES_EPHEMERAL_STORAGE_SIZE_LIMIT: z.string().default("10Gi"),
   KUBERNETES_EPHEMERAL_STORAGE_SIZE_REQUEST: z.string().default("2Gi"),

apps/supervisor/src/workloadManager/kubernetes.ts

@@ -237,8 +237,13 @@ export class KubernetesWorkloadManager implements WorkloadManager {
   get #defaultPodSpec(): Omit<k8s.V1PodSpec, "containers"> {
     return {
       restartPolicy: "Never",
-      automountServiceAccountToken: false,
+      // Explicit control over service account token mounting (defaults to false for security)
+      automountServiceAccountToken: env.KUBERNETES_WORKER_AUTOMOUNT_SERVICE_ACCOUNT_TOKEN,
       imagePullSecrets: this.getImagePullSecrets(),
+      // Optionally specify a service account for the worker pods
+      ...(env.KUBERNETES_WORKER_SERVICE_ACCOUNT
+        ? { serviceAccountName: env.KUBERNETES_WORKER_SERVICE_ACCOUNT }
+        : {}),
       securityContext: {
         runAsNonRoot: true,
         runAsUser: 1000,

hosting/k8s/helm/templates/supervisor.yaml

@@ -170,6 +170,10 @@ spec:
               value: {{ .Values.supervisor.config.kubernetes.forceEnabled | quote }}
             - name: KUBERNETES_WORKER_NODETYPE_LABEL
               value: {{ .Values.supervisor.config.kubernetes.workerNodetypeLabel | quote }}
+            - name: KUBERNETES_WORKER_SERVICE_ACCOUNT
+              value: {{ .Values.supervisor.config.kubernetes.workerServiceAccount | quote }}
+            - name: KUBERNETES_WORKER_AUTOMOUNT_SERVICE_ACCOUNT_TOKEN
+              value: {{ .Values.supervisor.config.kubernetes.workerAutomountServiceAccountToken | quote }}
             {{- $registryAuthEnabled := false }}
             {{- if .Values.registry.deploy }}
               {{- $registryAuthEnabled = .Values.registry.auth.enabled }}

hosting/k8s/helm/templates/worker-serviceaccount.yaml

@@ -0,0 +1,61 @@
+{{- if .Values.worker }}
+{{- if .Values.worker.serviceAccount }}
+{{- if .Values.worker.serviceAccount.create }}
+---
+# Service Account for worker pods
+# Note: By default, the service account token is NOT mounted into pods (automountServiceAccountToken: false)
+# This follows the principle of least privilege. Enable token mounting only if pods need K8s API access.
+# For cloud IAM integration (AWS IRSA, GCP Workload Identity), you typically don't need the token mounted.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ .Values.worker.serviceAccount.name | default "trigger-worker" }}
+  namespace: {{ default .Release.Namespace .Values.supervisor.config.kubernetes.namespace }}
+  labels:
+    {{- include "trigger-v4.labels" . | nindent 4 }}
+    app.kubernetes.io/component: worker
+  {{- with .Values.worker.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- if .Values.worker.rbac.create }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.worker.serviceAccount.name | default "trigger-worker" }}
+  namespace: {{ default .Release.Namespace .Values.supervisor.config.kubernetes.namespace }}
+  labels:
+    {{- include "trigger-v4.labels" . | nindent 4 }}
+    app.kubernetes.io/component: worker
+rules:
+  # Add any permissions your worker pods need
+  # For example, if they need to read ConfigMaps:
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    verbs: ["get", "list"]
+  # Or if they need to read secrets:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ .Values.worker.serviceAccount.name | default "trigger-worker" }}
+  namespace: {{ default .Release.Namespace .Values.supervisor.config.kubernetes.namespace }}
+  labels:
+    {{- include "trigger-v4.labels" . | nindent 4 }}
+    app.kubernetes.io/component: worker
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.worker.serviceAccount.name | default "trigger-worker" }}
+    namespace: {{ default .Release.Namespace .Values.supervisor.config.kubernetes.namespace }}
+roleRef:
+  kind: Role
+  name: {{ .Values.worker.serviceAccount.name | default "trigger-worker" }}
+  apiGroup: rbac.authorization.k8s.io
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}

hosting/k8s/helm/values.yaml

@@ -261,6 +261,8 @@ supervisor:
       forceEnabled: true
       namespace: "" # Default: uses release namespace
       workerNodetypeLabel: "" # When set, runs will only be scheduled on nodes with "nodetype=<label>"
+      workerServiceAccount: "trigger-worker" # Service account name for worker pods (e.g. "trigger-worker")
+      workerAutomountServiceAccountToken: true # Whether to mount the SA token in worker pods. Keep false unless pods need K8s API access
       ephemeralStorageSizeLimit: "" # Default: 10Gi
       ephemeralStorageSizeRequest: "" # Default: 2Gi´
     podCleaner:
@@ -354,6 +356,18 @@ supervisor:
   tolerations: []
   affinity: {}
 
+# Worker pod configuration
+worker:
+  # Service account for worker pods
+  serviceAccount:
+    create: true # Set to true to create a service account for worker pods
+    name: "trigger-worker" # Name of the service account
+    annotations: {} # Annotations to add to the service account (e.g., for AWS IRSA, GCP Workload Identity)
+  
+  # RBAC configuration for worker pods
+  rbac:
+    create: false # Set to true to create RBAC resources if worker pods need Kubernetes API access
+
 # PostgreSQL configuration
 # Subchart: https://github.com/bitnami/charts/tree/main/bitnami/postgresql
 postgres: