package inject import corev1 "k8s.io/api/core/v1" const ( // We don't want to make this configurable since users shouldn't rely on this // feature to set a fsGroup for them. This feature is just to protect innocent // users that are not aware of the limitation of iam-for-service-accounts: // https://github.com/aws/amazon-eks-pod-identity-webhook/issues/8 // Users should set fsGroup on the pod spec directly if a specific fsGroup is desired. defaultIAMForSAFSGroup int64 = 1337 ) func newIAMForServiceAccountsMutator(enabled bool) *iamForServiceAccountsMutator { return &iamForServiceAccountsMutator{ enabled: enabled, fsGroupID: defaultIAMForSAFSGroup, } } var _ PodMutator = &iamForServiceAccountsMutator{} // If enabled, a fsGroup will be injected in the absence of it within pod securityContext // see https://github.com/aws/amazon-eks-pod-identity-webhook/issues/8 for more details type iamForServiceAccountsMutator struct { enabled bool fsGroupID int64 } func (m *iamForServiceAccountsMutator) mutate(pod *corev1.Pod) error { if !m.enabled { return nil } if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.FSGroup != nil { return nil } if pod.Spec.SecurityContext == nil { pod.Spec.SecurityContext = &corev1.PodSecurityContext{} } pod.Spec.SecurityContext.FSGroup = &m.fsGroupID return nil }