3

I have a need to define a standalone patch as YAML.

More specifically, I want to do the following:

kubectl patch serviceaccount default -p '{"imagePullSecrets": [{"name": "registry-my-registry"}]}'

The catch is I can't use kubectl patch. I'm using a GitOps workflow with flux, and that resource I want to patch is a default resource created outside of flux.

In other terms, I need to do the same thing as the command above but with kubectl apply only:

kubectl apply patch.yaml

I wasn't able to figure out if you can define such a patch.

The key bit is that I can't predict the name of the default secret token on a new cluster (as the name is random, i.e. default-token-uudge)

Juicy
  • 11,840
  • 35
  • 123
  • 212

2 Answers2

2
  • Fields set and deleted from Resource Config are merged into Resources by Kubectl apply:
  • If a Resource already exists, Apply updates the Resources by merging the local Resource Config into the remote Resources
  • Fields removed from the Resource Config will be deleted from the remote Resource

You can learn more about Kubernetes Field Merge Semantics.

  • If your limitation is not knowing the secret default-token-xxxxx name, no problem, just keep that field out of your yaml.

  • As long as the yaml has enough fields to identify the target resource (name, kind, namespace) it will add/edit the fields you set.

  • I created a cluster (minikube in this example, but it could be any) and retrieved the current default serviceAccount:

$ kubectl get serviceaccount default -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  creationTimestamp: "2020-07-01T14:51:38Z"
  name: default
  namespace: default
  resourceVersion: "330"
  selfLink: /api/v1/namespaces/default/serviceaccounts/default
  uid: a9e5ff4a-8bfb-466f-8873-58c2172a5d11
secrets:
- name: default-token-j6zx2
  • Then, we create a yaml file with the content's that we want to add:
$ cat add-image-pull-secrets.yaml 
apiVersion: v1
kind: ServiceAccount
metadata:
  name: default
  namespace: default
imagePullSecrets:
 - name: registry-my-registry
  • Now we apply and verify:
$ kubectl apply -f add-image-pull-secrets.yaml 
serviceaccount/default configured

$ kubectl get serviceaccount default -o yaml
apiVersion: v1
imagePullSecrets:
- name: registry-my-registry
kind: ServiceAccount
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","imagePullSecrets":[{"name":"registry-my-registry2"}],"kind":"ServiceAccount","metadata":{"annotations":{},"name":"default","namespace":"default"}}
  creationTimestamp: "2020-07-01T14:51:38Z"
  name: default
  namespace: default
  resourceVersion: "2382"
  selfLink: /api/v1/namespaces/default/serviceaccounts/default
  uid: a9e5ff4a-8bfb-466f-8873-58c2172a5d11
secrets:
- name: default-token-j6zx2

As you can see, the ImagePullPolicy was added to the resource.

I hope it fits your needs. If you have any further questions let me know in the comments.

Will R.O.F.
  • 3,814
  • 1
  • 9
  • 19
1

Let say, your service account YAML looks like bellow:

$ kubectl get sa demo -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: demo
  namespace: default
secrets:
 - name: default-token-uudge

Now, you want to add or change the imagePullSecrets for that service account. To do so, edit the YAML file and add imagePullSecrets.

apiVersion: v1
kind: ServiceAccount
metadata:
  name: demo
  namespace: default
secrets:
 - name: default-token-uudge
imagePullSecrets:
 - name: myregistrykey

And finally, apply the changes:

$ kubectl apply -f service-account.yaml
Kamol Hasan
  • 12,218
  • 1
  • 37
  • 46
  • 1
    Unfortunately this won't work. I can't predict what the name of the default token on a new cluster as the last five characters are random. I need this to work on any new cluster that is spun up. – Juicy Jul 01 '20 at 14:26