implement LegacyServiceAccountTokenCleanUp alpha

2025-11-01 18:58:18 +00:00 · 2022-12-27 17:23:05 +00:00
parent 61ca72b541
commit 133eff3df4
24 changed files with 1134 additions and 16 deletions
--- a/cmd/kube-controller-manager/app/core.go
+++ b/cmd/kube-controller-manager/app/core.go
@@ -68,6 +68,7 @@ import (
 	"k8s.io/kubernetes/pkg/controller/volume/pvprotection"
 	quotainstall "k8s.io/kubernetes/pkg/quota/v1/install"
 	"k8s.io/kubernetes/pkg/volume/csimigration"
+	"k8s.io/utils/clock"
 	netutils "k8s.io/utils/net"
 )

@@ -581,6 +582,25 @@ func startTTLAfterFinishedController(ctx context.Context, controllerContext Cont
 	return nil, true, nil
 }

+func startLegacySATokenCleaner(ctx context.Context, controllerContext ControllerContext) (controller.Interface, bool, error) {
+	cleanUpPeriod := controllerContext.ComponentConfig.LegacySATokenCleaner.CleanUpPeriod.Duration
+	legacySATokenCleaner, err := serviceaccountcontroller.NewLegacySATokenCleaner(
+		controllerContext.InformerFactory.Core().V1().ServiceAccounts(),
+		controllerContext.InformerFactory.Core().V1().Secrets(),
+		controllerContext.InformerFactory.Core().V1().Pods(),
+		controllerContext.ClientBuilder.ClientOrDie("legacy-service-account-token-cleaner"),
+		clock.RealClock{},
+		serviceaccountcontroller.LegacySATokenCleanerOptions{
+			CleanUpPeriod: cleanUpPeriod,
+			SyncInterval:  serviceaccountcontroller.DefaultCleanerSyncInterval,
+		})
+	if err != nil {
+		return nil, true, fmt.Errorf("failed to start the legacy service account token cleaner: %v", err)
+	}
+	go legacySATokenCleaner.Run(ctx)
+	return nil, true, nil
+}
+
 // processCIDRs is a helper function that works on a comma separated cidrs and returns
 // a list of typed cidrs
 // error if failed to parse any of the cidrs or invalid length of cidrs