fix: retain pod spec volume when its name has default token prefix

wy-lucky · Mar 22, 2024 · e831329 · e831329
1 parent c8c5d84
commit e831329
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/pkg/controllers/sync/dispatch/retain.go b/pkg/controllers/sync/dispatch/retain.go
@@ -36,7 +36,9 @@ import (
 
 const (
 	// see serviceaccount admission plugin in kubernetes
-	ServiceAccountVolumeNamePrefix = "kube-api-access-"
+	ServiceAccountVolumeNameKubeAPIAccessPrefix = "kube-api-access-"
+	// see serviceaccount admission plugin in kubernetes
+	ServiceAccountVolumeNameDefaultTokenPrefix = "default-token-"
 	//nolint:gosec
 	DefaultAPITokenMountPath = "/var/run/secrets/kubernetes.io/serviceaccount"
 )
@@ -432,7 +434,8 @@ func findServiceAccountVolume(pod *unstructured.Unstructured) (volume map[string
 		}
 
 		// see serviceaccount admission plugin
-		if strings.HasPrefix(name, ServiceAccountVolumeNamePrefix) {
+		if strings.HasPrefix(name, ServiceAccountVolumeNameKubeAPIAccessPrefix) ||
+			strings.HasPrefix(name, ServiceAccountVolumeNameDefaultTokenPrefix) {
 			return volume, i, true
 		}
 	}