I have an Elasticsearch cluster created by the ECK operator. But the operator is not adding the Kube service account name to the pod templates.
Here is the Elasticsearch config (truncated for brevity):
apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
metadata:
name: logging0
spec:
version: 7.9.3
serviceAccountName: logging-es
...
According to the ECK API docs, the serviceAccountName option "Can only be used if ECK is enforcing RBAC on references."
The operator is running with enforce-rbac-on-refs enabled:
...
containers:
- image: "docker.elastic.co/eck/eck-operator:1.2.1"
imagePullPolicy: IfNotPresent
name: manager
args:
- "manager"
- "--log-verbosity=0"
- "--metrics-port=0"
- "--container-registry=docker.elastic.co"
- "--max-concurrent-reconciles=3"
- "--ca-cert-validity=8760h"
- "--ca-cert-rotate-before=24h"
- "--cert-validity=8760h"
- "--cert-rotate-before=24h"
- "--enable-webhook"
- "--enforce-rbac-on-refs"
...
Is this a bug, or is there additional configuration required to get the service account added to the Elasticsearch pods?
P.S. The service account is needed so that the Pod can use the AWS IAM roles for Kubernetes feature of EKS to access an S3 bucket to store snapshots.