Provide a way to specify default service accounts

config/config-defaults.yaml

@@ -37,3 +37,7 @@ data:
     # default-timeout-minutes contains the default number of
     # minutes to use for TaskRun and PipelineRun, if none is specified.
     default-timeout-minutes: "60"  # 60 minutes
+
+    # default-service-account contains the default service account name
+    # to use for TaskRun and PipelineRun, if none is specified.
+    default-service-account: "default"

docs/install.md

@@ -144,6 +144,25 @@ creation of a persistent volume could be slower than uploading/downloading files
 to a bucket, or if the the cluster is running in multiple zones, the access to
 the persistent volume can fail.
 
+### Overriding  default ServiceAccount used for TaskRun and PipelineRun
+
+The ConfigMap `config-defaults` can be used to override default service account
+e.g. to override the default service account (`default`) to `tekton` apply the
+following
+
+```yaml
+
+### config-defaults.yaml
+apiVersion: v1
+kind: ConfigMap
+data:
+  default-service-account: "tekton"
+
+```
+
+*NOTE:* The `_example` key contains of the keys that can be overriden and their
+default values.
+
 ## Custom Releases
 
 The [release Task](./../tekton/README.md) can be used for creating a custom

docs/pipelineruns.md

@@ -40,8 +40,9 @@ following fields:
     [`PipelineResources`](resources.md) to use for this `PipelineRun`.
   - [`serviceAccount`](#service-account) - Specifies a `ServiceAccount` resource
     object that enables your build to run with the defined authentication
-    information.
-  - [`serviceAccounts`](#service-accounts) - Specifies a list of `ServiceAccount` 
+    information. When a `ServiceAccount` isn't specified, the `default-service-account`
+    specified in the configmap - config-defaults will be applied.
+  - [`serviceAccounts`](#service-accounts) - Specifies a list of `ServiceAccount`
     and `PipelineTask` pairs that enable you to overwrite `ServiceAccount` for concrete `PipelineTask`.
   - [`timeout`] - Specifies timeout after which the `PipelineRun` will fail. If the value of
     `timeout` is empty, the default timeout will be applied. If the value is set to 0,
@@ -118,19 +119,19 @@ spec:
 Specifies the `name` of a `ServiceAccount` resource object. Use the
 `serviceAccount` field to run your `Pipeline` with the privileges of the
 specified service account. If no `serviceAccount` field is specified, your
-resulting `TaskRuns` run using the
+resulting `TaskRuns` run using the service account specified in the ConfigMap
+`configmap-defaults` which if absent will default to
 [`default` service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server)
-that is in the
-[namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
+that is in the [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
 of the `TaskRun` resource object.
 
 For examples and more information about specifying service accounts, see the
 [`ServiceAccount`](./auth.md) reference topic.
 
 ### Service Accounts
 
-Specifies the list of `ServiceAccount` and `PipelineTask` pairs. Specified 
-`PipelineTask` will be run with configured `ServiceAccount`, 
+Specifies the list of `ServiceAccount` and `PipelineTask` pairs. Specified
+`PipelineTask` will be run with configured `ServiceAccount`,
 overwriting [`serviceAccount`](#service-account) configuration, for example:
 
 ```yaml

docs/taskruns.md

@@ -46,7 +46,8 @@ following fields:
 
   - [`serviceAccount`](#service-account) - Specifies a `ServiceAccount` resource
     object that enables your build to run with the defined authentication
-    information.
+    information. When a `ServiceAccount` isn't specified, the `default-service-account`
+    specified in the configmap - config-defaults will be applied.
   - [`inputs`] - Specifies [input parameters](#input-parameters) and
     [input resources](#providing-resources)
   - [`outputs`] - Specifies [output resources](#providing-resources)
@@ -157,10 +158,10 @@ default, if `default-timeout-minutes` is set to 0.
 Specifies the `name` of a `ServiceAccount` resource object. Use the
 `serviceAccount` field to run your `Task` with the privileges of the specified
 service account. If no `serviceAccount` field is specified, your `Task` runs
-using the
+using the  service account specified in the ConfigMap `configmap-defaults`
+which if absent will default to
 [`default` service account](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server)
-that is in the
-[namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
+that is in the [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/)
 of the `TaskRun` resource object.
 
 For examples and more information about specifying service accounts, see the

pkg/apis/config/default.go

@@ -30,17 +30,20 @@ const (
 	DefaultTimeoutMinutes    = 60
 	NoTimeoutDuration        = 0 * time.Minute
 	defaultTimeoutMinutesKey = "default-timeout-minutes"
+	defaultServiceAccountKey = "default-service-account"
 )
 
 // Defaults holds the default configurations
 // +k8s:deepcopy-gen=true
 type Defaults struct {
 	DefaultTimeoutMinutes int
+	DefaultServiceAccount string
 }
 
 // Equals returns true if two Configs are identical
 func (cfg *Defaults) Equals(other *Defaults) bool {
-	return other.DefaultTimeoutMinutes == cfg.DefaultTimeoutMinutes
+	return other.DefaultTimeoutMinutes == cfg.DefaultTimeoutMinutes &&
+		other.DefaultServiceAccount == cfg.DefaultServiceAccount
 }
 
 // NewDefaultsFromMap returns a Config given a map corresponding to a ConfigMap
@@ -56,6 +59,10 @@ func NewDefaultsFromMap(cfgMap map[string]string) (*Defaults, error) {
 		tc.DefaultTimeoutMinutes = int(timeout)
 	}
 
+	if defaultServiceAccount, ok := cfgMap[defaultServiceAccountKey]; ok {
+		tc.DefaultServiceAccount = defaultServiceAccount
+	}
+
 	return &tc, nil
 }
 

pkg/apis/config/default_test.go

@@ -26,6 +26,7 @@ import (
 func TestNewDefaultsFromConfigMap(t *testing.T) {
 	expectedConfig := &Defaults{
 		DefaultTimeoutMinutes: 50,
+		DefaultServiceAccount: "tekton",
 	}
 	verifyConfigFileWithExpectedConfig(t, DefaultsConfigName, expectedConfig)
 }

pkg/apis/config/testdata/config-defaults.yaml

@@ -19,3 +19,4 @@ metadata:
   namespace: tekton-pipelines
 data:
   default-timeout-minutes: "50"
+  default-service-account: "tekton"

pkg/apis/pipeline/v1alpha1/pipelinerun_defaults.go

@@ -42,4 +42,9 @@ func (prs *PipelineRunSpec) SetDefaults(ctx context.Context) {
 		}
 		prs.Timeout = timeout
 	}
+
+	defaultSA := cfg.Defaults.DefaultServiceAccount
+	if prs.ServiceAccount == "" && defaultSA != "" {
+		prs.ServiceAccount = defaultSA
+	}
 }

pkg/apis/pipeline/v1alpha1/pipelinerun_defaults_test.go

@@ -123,6 +123,33 @@ func TestPipelineRunDefaulting(t *testing.T) {
 			})
 			return s.ToContext(ctx)
 		},
+	}, {
+		name: "PipelineRef default config context with sa",
+		in: &v1alpha1.PipelineRun{
+			Spec: v1alpha1.PipelineRunSpec{
+				PipelineRef: v1alpha1.PipelineRef{Name: "foo"},
+			},
+		},
+		want: &v1alpha1.PipelineRun{
+			Spec: v1alpha1.PipelineRunSpec{
+				PipelineRef:    v1alpha1.PipelineRef{Name: "foo"},
+				Timeout:        &metav1.Duration{Duration: 5 * time.Minute},
+				ServiceAccount: "tekton",
+			},
+		},
+		wc: func(ctx context.Context) context.Context {
+			s := config.NewStore(logtesting.TestLogger(t))
+			s.OnConfigChanged(&corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: config.DefaultsConfigName,
+				},
+				Data: map[string]string{
+					"default-timeout-minutes": "5",
+					"default-service-account": "tekton",
+				},
+			})
+			return s.ToContext(ctx)
+		},
 	}}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {

pkg/apis/pipeline/v1alpha1/taskrun_defaults.go

@@ -46,4 +46,9 @@ func (trs *TaskRunSpec) SetDefaults(ctx context.Context) {
 		}
 		trs.Timeout = timeout
 	}
+
+	defaultSA := cfg.Defaults.DefaultServiceAccount
+	if trs.ServiceAccount == "" && defaultSA != "" {
+		trs.ServiceAccount = defaultSA
+	}
 }

pkg/apis/pipeline/v1alpha1/taskrun_defaults_test.go

@@ -146,6 +146,33 @@ func TestTaskRunDefaulting(t *testing.T) {
 			})
 			return s.ToContext(ctx)
 		},
+	}, {
+		name: "TaskRef default config context with SA",
+		in: &v1alpha1.TaskRun{
+			Spec: v1alpha1.TaskRunSpec{
+				TaskRef: &v1alpha1.TaskRef{Name: "foo"},
+			},
+		},
+		want: &v1alpha1.TaskRun{
+			Spec: v1alpha1.TaskRunSpec{
+				TaskRef:        &v1alpha1.TaskRef{Name: "foo", Kind: v1alpha1.NamespacedTaskKind},
+				Timeout:        &metav1.Duration{Duration: 5 * time.Minute},
+				ServiceAccount: "tekton",
+			},
+		},
+		wc: func(ctx context.Context) context.Context {
+			s := config.NewStore(logtesting.TestLogger(t))
+			s.OnConfigChanged(&corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name: config.DefaultsConfigName,
+				},
+				Data: map[string]string{
+					"default-timeout-minutes": "5",
+					"default-service-account": "tekton",
+				},
+			})
+			return s.ToContext(ctx)
+		},
 	}}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {