From e831329248f889318c18e4066cd8a90f59f3c42d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=8E=8B=E6=AF=93?= <wangyu.luck@bytedance.com>
Date: Fri, 22 Mar 2024 10:27:58 +0800
Subject: [PATCH] fix: retain pod spec volume when its name has default token
 prefix

---
 pkg/controllers/sync/dispatch/retain.go | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/pkg/controllers/sync/dispatch/retain.go b/pkg/controllers/sync/dispatch/retain.go
index 828b1bba..d6447108 100644
--- a/pkg/controllers/sync/dispatch/retain.go
+++ b/pkg/controllers/sync/dispatch/retain.go
@@ -36,7 +36,9 @@ import (
 
 const (
 	// see serviceaccount admission plugin in kubernetes
-	ServiceAccountVolumeNamePrefix = "kube-api-access-"
+	ServiceAccountVolumeNameKubeAPIAccessPrefix = "kube-api-access-"
+	// see serviceaccount admission plugin in kubernetes
+	ServiceAccountVolumeNameDefaultTokenPrefix = "default-token-"
 	//nolint:gosec
 	DefaultAPITokenMountPath = "/var/run/secrets/kubernetes.io/serviceaccount"
 )
@@ -432,7 +434,8 @@ func findServiceAccountVolume(pod *unstructured.Unstructured) (volume map[string
 		}
 
 		// see serviceaccount admission plugin
-		if strings.HasPrefix(name, ServiceAccountVolumeNamePrefix) {
+		if strings.HasPrefix(name, ServiceAccountVolumeNameKubeAPIAccessPrefix) ||
+			strings.HasPrefix(name, ServiceAccountVolumeNameDefaultTokenPrefix) {
 			return volume, i, true
 		}
 	}