fix: disable SA token automount for tidbinitializer

tennix · tennix · commit 42acf0e7e574 · 2026-04-21T16:07:40.000+08:00
diff --git a/pkg/manager/member/tidb_init_manager.go b/pkg/manager/member/tidb_init_manager.go
@@ -352,8 +352,9 @@ func (m *tidbInitManager) makeTiDBInitJob(ti *v1alpha1.TidbInitializer) (*batchv
 			Annotations: util.CopyStringMap(ti.Annotations),
 		},
 		Spec: corev1.PodSpec{
-			ImagePullSecrets: ti.Spec.ImagePullSecrets,
-			SecurityContext:  ti.Spec.PodSecurityContext,
+			ImagePullSecrets:             ti.Spec.ImagePullSecrets,
+			SecurityContext:              ti.Spec.PodSecurityContext,
+			AutomountServiceAccountToken: pointer.BoolPtr(false),
 			InitContainers: []corev1.Container{
 				{
 					Name:    initContainerName,
diff --git a/pkg/manager/member/tidb_init_manager_test.go b/pkg/manager/member/tidb_init_manager_test.go
@@ -128,6 +128,21 @@ func TestTiDBInitManagerSync(t *testing.T) {
 	}
 }
 
+func TestMakeTiDBInitJobDisablesServiceAccountTokenAutomount(t *testing.T) {
+	g := NewGomegaWithT(t)
+	tim, _, indexers := newFakeTiDBInitManager()
+	ti := newTidbInitializerForTiDB()
+	tc := newTidbClusterForTiDB()
+
+	err := indexers.tc.Add(tc)
+	g.Expect(err).NotTo(HaveOccurred())
+
+	job, err := tim.makeTiDBInitJob(ti)
+	g.Expect(err).NotTo(HaveOccurred())
+	g.Expect(job.Spec.Template.Spec.AutomountServiceAccountToken).NotTo(BeNil())
+	g.Expect(*job.Spec.Template.Spec.AutomountServiceAccountToken).To(BeFalse())
+}
+
 func newFakeTiDBInitManager() (*tidbInitManager, *tidbMemberManager, *fakeIndexers) {
 	tmm, _, _, indexers := newFakeTiDBMemberManager()
 	indexers.job = tmm.deps.KubeInformerFactory.Batch().V1().Jobs().Informer().GetIndexer()
