fix: prune consecutive auto-generated ServiceAccount token secrets#7699
fix: prune consecutive auto-generated ServiceAccount token secrets#7699Anjali-Chauhan1 wants to merge 3 commits into
Conversation
Signed-off-by: Anjali-Chauhan1 <anjalichauhan1036@gmail.com>
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Welcome @Anjali-Chauhan1! It looks like this is your first PR to karmada-io/karmada 🎉 |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses a bug in the ServiceAccount pruning logic where consecutive auto-generated token secrets were being skipped during filtering. By switching to a filter-and-rebuild approach, the controller now reliably removes all matching token secrets regardless of their position in the slice. Additionally, the code was hardened against potential panics by introducing safer type assertions. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request resolves an issue in removeServiceAccountIrrelevantField where in-place slice modification during iteration could lead to skipped elements or index out-of-bounds errors when removing service account secrets. The code has been refactored to safely iterate and filter elements into a new retained slice, incorporating proper type assertions. A new unit test has also been added to cover the removal of consecutive service account token secrets. There are no review comments to evaluate, and no additional feedback is provided.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
There was a problem hiding this comment.
Pull request overview
Fixes a pruning bug in Karmada’s native resource interpreter where consecutive auto-generated ServiceAccount token secrets (<sa>-token-*) could be skipped and incorrectly propagated to member clusters, and makes the pruning logic resilient to malformed secrets entries.
Changes:
- Reworks ServiceAccount secret pruning to filter into a new slice (avoids index-skipping on consecutive matches).
- Switches
secretsentry parsing to comma-ok type assertions to avoid panics on malformed entries. - Adds a regression unit test covering consecutive token secrets.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pkg/resourceinterpreter/default/native/prune/prune.go | Filters secrets to reliably remove all <sa>-token-* entries and avoid panics on malformed items. |
| pkg/resourceinterpreter/default/native/prune/prune_test.go | Adds a regression test for consecutive token secrets in ServiceAccount pruning. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Anjali-Chauhan1 <anjalichauhan1036@gmail.com>
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #7699 +/- ##
==========================================
+ Coverage 42.05% 42.06% +0.01%
==========================================
Files 879 879
Lines 54831 54835 +4
==========================================
+ Hits 23059 23069 +10
+ Misses 30026 30022 -4
+ Partials 1746 1744 -2
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
…antField Signed-off-by: Anjali-Chauhan1 <anjalichauhan1036@gmail.com>
PR description
What type of PR is this?
/kind bug
What this PR does / why we need it
removeServiceAccountIrrelevantFieldstrips auto-generated<sa-name>-token-*secrets from a ServiceAccount before it is propagated to member clusters. It removed matching entries in place while advancing the loop index, so when two or more token secrets were listed consecutively, the entry that shifted into the freed slot was skipped. Those leftover token secrets were then propagated to member clusters.This PR rebuilds the
secretsslice by filtering out the token secrets, which removes all matches regardless of ordering. It also switches the entry/name type assertions to the comma-ok form so a malformedsecretsentry no longer panics the interpreter.Which issue this PR fixes
Fixes #7698
Special notes for your reviewer
Added a regression test case (
remove consecutive serviceaccount token secrets) with two adjacentfoo-token-*secrets. It fails on the previous implementation and passes with this change. Existing prune tests remain green.Does this PR introduce a user-facing change?