Skip to content

Add serviceAccountName to TidbInitializer (#6872)#6881

Open
ti-chi-bot wants to merge 1 commit intopingcap:release-1.6from
ti-chi-bot:cherry-pick-6872-to-release-1.6
Open

Add serviceAccountName to TidbInitializer (#6872)#6881
ti-chi-bot wants to merge 1 commit intopingcap:release-1.6from
ti-chi-bot:cherry-pick-6872-to-release-1.6

Conversation

@ti-chi-bot
Copy link
Copy Markdown
Member

@ti-chi-bot ti-chi-bot commented May 9, 2026

This is an automated cherry-pick of #6872

What problem does this PR solve?

FedRAMP Gatekeeper block-default-service-account policy rejects pods that use the default ServiceAccount. The TidbInitializer Job pod did not expose a way to set spec.serviceAccountName, so users had to patch operator code or rely on the default ServiceAccount.

What is changed and how does it work?

This adds spec.serviceAccountName to TidbInitializerSpec and passes it through to the generated initializer Job pod template.

The CRD/OpenAPI schema is updated so users can configure:

spec:
  serviceAccountName: tidb-initializer

Check List

Tests

  • Unit test

Side effects

  • No side effects

Release note

Add serviceAccountName support to TidbInitializer.

Verification

  • go test ./pkg/manager/member
  • cd pkg/apis && go test ./pingcap/v1alpha1
  • git diff --check

@tennix @ti-chi-bot
Allow FedRAMP deployments to avoid default initializer identities
57394ce 
FedRAMP Gatekeeper can reject pods that fall back to the default service account. TidbInitializer creates a Job pod directly, so the CRD needs an explicit field that users can bind to a dedicated ServiceAccount without carrying operator-side patches.

The initializer spec now exposes serviceAccountName and passes it through to the generated Job pod template. The CRD and OpenAPI schema are updated so users can configure the field through the v1 API.

Constraint: FedRAMP block-default-service-account policy rejects implicit default service account usage
Rejected: Hardcode tidb-initializer in the manager | forces one service account name on all users and keeps requiring operator code patches
Confidence: high
Scope-risk: narrow
Directive: Keep this field as a pass-through to the Job pod spec; do not add defaulting here without checking backward compatibility
Tested: go test ./pkg/manager/member
Tested: cd pkg/apis && go test ./pingcap/v1alpha1
Tested: git diff --check
@ti-chi-bot ti-chi-bot mentioned this pull request May 9, 2026
Merged
@ti-chi-bot ti-chi-bot Bot requested a review from shonge May 9, 2026 01:30
@ti-chi-bot
Copy link
Copy Markdown
Contributor

ti-chi-bot Bot commented May 9, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign onlymellb for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@liubog2008
Copy link
Copy Markdown
Member

liubog2008 commented May 9, 2026

/retest

@ti-chi-bot
Copy link
Copy Markdown
Contributor

ti-chi-bot Bot commented May 9, 2026
edited
Loading

@ti-chi-bot: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-e2e-kind-br 57394ce link false /test pull-e2e-kind-br

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@shonge shonge Awaiting requested review from shonge

Assignees

@liubog2008 liubog2008

Labels

size/M type/cherry-pick-for-release-1.6

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ti-chi-bot @liubog2008 @tennix