add the service account to the job pod spec

ehearne-redhat · ehearne-redhat · commit ac5fdc211bd7 · 2026-01-09T17:04:13.000Z
diff --git a/pkg/controller/bundle/bundle_unpacker.go b/pkg/controller/bundle/bundle_unpacker.go
@@ -118,6 +118,7 @@ func (c *ConfigMapUnpacker) job(cmRef *corev1.ObjectReference, bundlePath string
 					// Keeping the pods around after failures helps in inspecting the logs of a failed bundle unpack job.
 					// See: https://kubernetes.io/docs/concepts/workloads/controllers/job/#pod-backoff-failure-policy
 					RestartPolicy:    corev1.RestartPolicyNever,
+					ServiceAccountName: cmRef.Name,
 					ImagePullSecrets: secrets,
 					SecurityContext: &corev1.PodSecurityContext{
 						SeccompProfile: &corev1.SeccompProfile{
diff --git a/pkg/controller/bundle/bundle_unpacker_test.go b/pkg/controller/bundle/bundle_unpacker_test.go
@@ -275,6 +275,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 								},
 								Spec: corev1.PodSpec{
 									RestartPolicy:    corev1.RestartPolicyNever,
+									ServiceAccountName: pathHash,
 									ImagePullSecrets: []corev1.LocalObjectReference{{Name: "my-secret"}},
 									SecurityContext: &corev1.PodSecurityContext{
 										RunAsNonRoot: ptr.To(bool(true)),
@@ -495,6 +496,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 								},
 								Spec: corev1.PodSpec{
 									RestartPolicy: corev1.RestartPolicyNever,
+									ServiceAccountName: digestHash,
 									SecurityContext: &corev1.PodSecurityContext{
 										RunAsNonRoot: ptr.To(bool(true)),
 										RunAsUser:    ptr.To(int64(runAsUser)),
@@ -754,6 +756,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 								},
 								Spec: corev1.PodSpec{
 									RestartPolicy: corev1.RestartPolicyNever,
+									ServiceAccountName: digestHash,
 									SecurityContext: &corev1.PodSecurityContext{
 										RunAsNonRoot: ptr.To(bool(true)),
 										RunAsUser:    ptr.To(int64(runAsUser)),
@@ -1008,6 +1011,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 								},
 								Spec: corev1.PodSpec{
 									RestartPolicy: corev1.RestartPolicyNever,
+									ServiceAccountName: pathHash,
 									SecurityContext: &corev1.PodSecurityContext{
 										RunAsNonRoot: ptr.To(bool(true)),
 										RunAsUser:    ptr.To(int64(runAsUser)),
@@ -1232,6 +1236,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 								},
 								Spec: corev1.PodSpec{
 									RestartPolicy: corev1.RestartPolicyNever,
+									ServiceAccountName: pathHash,
 									SecurityContext: &corev1.PodSecurityContext{
 										RunAsNonRoot: ptr.To(bool(true)),
 										RunAsUser:    ptr.To(int64(runAsUser)),
@@ -1469,6 +1474,7 @@ func TestConfigMapUnpacker(t *testing.T) {
 								},
 								Spec: corev1.PodSpec{
 									RestartPolicy: corev1.RestartPolicyNever,
+									ServiceAccountName: pathHash,
 									SecurityContext: &corev1.PodSecurityContext{
 										RunAsNonRoot: ptr.To(bool(true)),
 										RunAsUser:    ptr.To(int64(runAsUser)),
