fix API call SA token and response (#6842)

Signed-off-by: Jim Bugwadia <jim@nirmata.com>
2025-03-31 03:45:17 +00:00 · 2023-04-10 23:03:10 -07:00 · 2023-04-10 23:03:10 -07:00 · 9fe330d7cf
commit 9fe330d7cf
parent 3eff458126
3 changed files with 9 additions and 21 deletions
--- a/charts/kyverno/templates/admission-controller/deployment.yaml
+++ b/charts/kyverno/templates/admission-controller/deployment.yaml
@ -202,16 +202,7 @@ spec:
          volumeMounts:
            - mountPath: {{ .Values.admissionController.tufRootMountPath }}
              name: sigstore
-            - mountPath: /var/run/secrets/tokens
-              name: api-token
      volumes:
      - name: sigstore
        {{- toYaml (required "A valid .Values.admissionController.sigstoreVolume entry is required" .Values.admissionController.sigstoreVolume) | nindent 8 }}
-      - name: api-token
-        projected:
-          sources:
-          - serviceAccountToken:
-              path: api-token
-              expirationSeconds: 600
-              audience: kyverno-extension
 {{- end -}}
--- a/config/install-latest-testing.yaml
+++ b/config/install-latest-testing.yaml
@ -34801,18 +34801,9 @@ spec:
          volumeMounts:
            - mountPath: /.sigstore
              name: sigstore
-            - mountPath: /var/run/secrets/tokens
-              name: api-token
      volumes:
      - name: sigstore
        emptyDir: {}
-      - name: api-token
-        projected:
-          sources:
-          - serviceAccountToken:
-              path: api-token
-              expirationSeconds: 600
-              audience: kyverno-extension
 ---
 apiVersion: apps/v1
 kind: Deployment
--- a/pkg/engine/apicall/apiCall.go
+++ b/pkg/engine/apicall/apiCall.go
@ -99,7 +99,12 @@ func (a *apiCall) executeServiceCall(service *kyvernov1.ServiceCall) ([]byte, er
 	}

 	if resp.StatusCode < 200 || resp.StatusCode >= 300 {
-		return nil, fmt.Errorf("HTTP %d: %s", resp.StatusCode, resp.Status)
+		b, err := io.ReadAll(resp.Body)
+		if err == nil {
+			return nil, fmt.Errorf("HTTP %s: %s", resp.Status, string(b))
+		}
+
+		return nil, fmt.Errorf("HTTP %s", resp.Status)
 	}

 	defer resp.Body.Close()
@ -139,9 +144,10 @@ func (a *apiCall) buildHTTPRequest(service *kyvernov1.ServiceCall) (req *http.Re
 }

 func (a *apiCall) getToken() string {
-	b, err := os.ReadFile("/var/run/secrets/tokens/api-token")
+	fileName := "/var/run/secrets/kubernetes.io/serviceaccount/token"
+	b, err := os.ReadFile(fileName)
 	if err != nil {
-		a.log.Info("failed to read token", "path", "/var/run/secrets/tokens/api-token")
+		a.log.Info("failed to read service account token", "path", fileName)
 		return ""
 	}