Add ServiceAccounts for the ModuleLoader and DevicePlugin workloads

[mresvanis]

This PR adds ServiceAccounts for the module loader and the device plugin workloads of a Module, when no ServiceAccounts are specified in the Module.Spec.

This way we avoid using the K8S default ServiceAccount, which may have different permissions than the module loader and/or the device plugin workloads require.

Specifically, this PR:

• adds the required ServiceAccount permissions to the module reconciler
• adds the following Module reconciliation steps when the Module.Spec.ModuleLoader.ServiceAccountName is empty:
  • adds a module loader ServiceAccount
  • adds the module loaderServiceAccount to the module loader DaemonSet
• adds the following Module reconciliation steps when the Module.Spec.DevicePlugin.ServiceAccountName is empty:
  • adds a device plugin ServiceAccount
  • adds the device plugin ServiceAccount to the device plugin DaemonSet

Signed-off-by: Michail Resvanis [email protected]

[k8s-ci-robot]

Hi @mresvanis. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[codecov-commenter]

Codecov Report

Base: 72.90% // Head: 73.46% // Increases project coverage by +0.55% 🎉

Coverage data is based on head (e034df0) compared to base (56b8bb3).
Patch coverage: 86.95% of modified lines in pull request are covered.

❗ Current head e034df0 differs from pull request most recent head 41910e7. Consider uploading reports for the commit 41910e7 to get more accurate results

Additional details and impacted files

@@            Coverage Diff             @@
##             main      #90      +/-   ##
==========================================
+ Coverage   72.90%   73.46%   +0.55%     
==========================================
  Files          16       17       +1     
  Lines        1705     1771      +66     
==========================================
+ Hits         1243     1301      +58     
- Misses        398      404       +6     
- Partials       64       66       +2     

Impacted Files	Coverage Δ
main.go	4.38% <0.00%> (-0.04%)	⬇️
controllers/module_reconciler.go	66.10% <30.00%> (-1.60%)	⬇️
internal/daemonset/daemonset.go	97.94% <100.00%> (+0.04%)	⬆️
internal/rbac/rbac.go	100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[qbarrand]

/ok-to-test

[qbarrand]

This LGTM. Please fix the linting issue and squash into one commit.
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mresvanis, qbarrand

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [qbarrand]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mresvanis]

@ybettan @yevgeny-shnaidman this PR is now ready for review, whenever you have some time it would be great to take a look into it. Thank you!

[ybettan]

/lgtm

[ybettan]

/lgtm