I understand we can use pod-patches to set a non-default service account when using a kubernetes backend, but so far I’ve been unsuccessful in configuring this.
Here is how I’ve tried to add the necessary patch in the application.yml:
kubernetes:
namespace: shinyproxy
internal-networking: true
debug-patches: true
image-pull-policy: IfNotPresent
# Add a patch to include serviceAccountName for ShinyProxy-launched pods
kubernetes-pod-patches: |
- op: add
path: /spec/serviceAccountName
value: shinyproxy-sa
And I can see the output of the patched pod:
2025-01-10T17:41:57.213Z INFO 1 --- [ProxyService-16] e.o.c.backend.kubernetes.PodPatcher : [user=3cb27518-018a-4a1a-b4e7-12f6d577ec04 proxyId=5f0fc2ae-4400-4bf3-9278-f7dc0806a9a4 specId=rstudio] Patched Pod:
---
apiVersion: "v1"
kind: "Pod"
metadata:
annotations:
openanalytics.eu/sp-cache-headers-mode: "EnforceNoCache"
openanalytics.eu/sp-max-lifetime: "-1"
openanalytics.eu/sp-public-path: "/app_proxy/5f0fc2ae-4400-4bf3-9278-f7dc0806a9a4/"
openanalytics.eu/sp-websocket-reconnection-mode: "None"
openanalytics.eu/sp-shiny-force-full-reload: "false"
openanalytics.eu/sp-user-timezone: "America/Chicago"
openanalytics.eu/sp-proxy-id: "5f0fc2ae-4400-4bf3-9278-f7dc0806a9a4"
openanalytics.eu/sp-http-headers: "{\"X-SP-UserGroups\":\"ANONYMOUS\",\"X-SP-UserId\"\
:\"3cb27518-018a-4a1a-b4e7-12f6d577ec04\"}"
openanalytics.eu/sp-spec-id: "rstudio"
openanalytics.eu/sp-app-instance: "_"
openanalytics.eu/sp-heartbeat-timeout: "60000"
openanalytics.eu/sp-user-id: "3cb27518-018a-4a1a-b4e7-12f6d577ec04"
openanalytics.eu/sp-proxy-created-timestamp: "1736530914618"
openanalytics.eu/sp-user-groups: "ANONYMOUS"
openanalytics.eu/sp-track-app-url: "false"
openanalytics.eu/sp-display-name: "RStudio"
openanalytics.eu/sp-target-id: "5f0fc2ae-4400-4bf3-9278-f7dc0806a9a4"
openanalytics.eu/sp-container-index: "0"
openanalytics.eu/sp-port-mappings: "[{\"name\":\"default\",\"port\":8787,\"targetPath\"\
:\"\"}]"
labels:
app: "67197aeb-0ece-45e5-be6e-e915f19fe00d"
openanalytics.eu/sp-proxied-app: "true"
openanalytics.eu/sp-instance: "0e7971194020612eaa59b9962204056fad8fe8b0"
name: "sp-pod-5f0fc2ae-4400-4bf3-9278-f7dc0806a9a4-0"
namespace: "shinyproxy"
spec:
containers:
- env:
- name: "SHINYPROXY_USERGROUPS"
value: "ANONYMOUS"
- name: "WWW_ROOT_PATH"
value: "/app_proxy/5f0fc2ae-4400-4bf3-9278-f7dc0806a9a4/"
- name: "SHINYPROXY_USERNAME"
value: "3cb27518-018a-4a1a-b4e7-12f6d577ec04"
- name: "DISABLE_AUTH"
value: "true"
- name: "SHINYPROXY_PUBLIC_PATH"
value: "/app_proxy/5f0fc2ae-4400-4bf3-9278-f7dc0806a9a4/"
image: "rstudio:latest"
imagePullPolicy: "IfNotPresent"
name: "sp-container-0"
ports:
- containerPort: 8787
resources: {}
securityContext:
privileged: false
serviceAccountName: "shinyproxy-sa"
But it appears to still try to use the default service account:
Failure executing: POST at: https://10.96.0.1:443/api/v1/namespaces/shinyproxy/pods. Message: pods is forbidden: User "system:serviceaccount:shinyproxy:default" cannot create resource "pods" in API group "" in the namespace "shinyproxy".
I’m not sure how to tell the pod to use the shinyproxy-sa service account.