Skip to content

fix: prune consecutive auto-generated ServiceAccount token secrets#7699

Open
Anjali-Chauhan1 wants to merge 3 commits into
karmada-io:masterfrom
Anjali-Chauhan1:fix/serviceaccount-token-secret-pruning
Open

fix: prune consecutive auto-generated ServiceAccount token secrets#7699
Anjali-Chauhan1 wants to merge 3 commits into
karmada-io:masterfrom
Anjali-Chauhan1:fix/serviceaccount-token-secret-pruning

Conversation

@Anjali-Chauhan1

Copy link
Copy Markdown

PR description

What type of PR is this?

/kind bug

What this PR does / why we need it

removeServiceAccountIrrelevantField strips auto-generated <sa-name>-token-* secrets from a ServiceAccount before it is propagated to member clusters. It removed matching entries in place while advancing the loop index, so when two or more token secrets were listed consecutively, the entry that shifted into the freed slot was skipped. Those leftover token secrets were then propagated to member clusters.

This PR rebuilds the secrets slice by filtering out the token secrets, which removes all matches regardless of ordering. It also switches the entry/name type assertions to the comma-ok form so a malformed secrets entry no longer panics the interpreter.

Which issue this PR fixes

Fixes #7698

Special notes for your reviewer

Added a regression test case (remove consecutive serviceaccount token secrets) with two adjacent foo-token-* secrets. It fails on the previous implementation and passes with this change. Existing prune tests remain green.

Does this PR introduce a user-facing change?

`karmada-controller-manager`: Fixed the issue that consecutive auto-generated ServiceAccount token secrets were not pruned and could be propagated to member clusters.

Signed-off-by: Anjali-Chauhan1 <anjalichauhan1036@gmail.com>
Copilot AI review requested due to automatic review settings July 1, 2026 18:59
@karmada-bot karmada-bot added the kind/bug Categorizes issue or PR as related to a bug. label Jul 1, 2026
@karmada-bot

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign xishanyongye-chang for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@karmada-bot

Copy link
Copy Markdown
Contributor

Welcome @Anjali-Chauhan1! It looks like this is your first PR to karmada-io/karmada 🎉

@karmada-bot karmada-bot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Jul 1, 2026
@gemini-code-assist

Copy link
Copy Markdown

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a bug in the ServiceAccount pruning logic where consecutive auto-generated token secrets were being skipped during filtering. By switching to a filter-and-rebuild approach, the controller now reliably removes all matching token secrets regardless of their position in the slice. Additionally, the code was hardened against potential panics by introducing safer type assertions.

Highlights

  • Logic Correction: Replaced in-place slice modification with a new slice construction to correctly prune consecutive ServiceAccount token secrets.
  • Safety Improvements: Implemented comma-ok type assertions for map entries to prevent potential runtime panics when processing malformed secret data.
  • Regression Testing: Added a new test case to verify that multiple adjacent auto-generated token secrets are correctly removed.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request resolves an issue in removeServiceAccountIrrelevantField where in-place slice modification during iteration could lead to skipped elements or index out-of-bounds errors when removing service account secrets. The code has been refactored to safely iterate and filter elements into a new retained slice, incorporating proper type assertions. A new unit test has also been added to cover the removal of consecutive service account token secrets. There are no review comments to evaluate, and no additional feedback is provided.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a pruning bug in Karmada’s native resource interpreter where consecutive auto-generated ServiceAccount token secrets (<sa>-token-*) could be skipped and incorrectly propagated to member clusters, and makes the pruning logic resilient to malformed secrets entries.

Changes:

  • Reworks ServiceAccount secret pruning to filter into a new slice (avoids index-skipping on consecutive matches).
  • Switches secrets entry parsing to comma-ok type assertions to avoid panics on malformed entries.
  • Adds a regression unit test covering consecutive token secrets.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
pkg/resourceinterpreter/default/native/prune/prune.go Filters secrets to reliably remove all <sa>-token-* entries and avoid panics on malformed items.
pkg/resourceinterpreter/default/native/prune/prune_test.go Adds a regression test for consecutive token secrets in ServiceAccount pruning.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pkg/resourceinterpreter/default/native/prune/prune_test.go
Comment thread pkg/resourceinterpreter/default/native/prune/prune.go
Signed-off-by: Anjali-Chauhan1 <anjalichauhan1036@gmail.com>
@codecov-commenter

codecov-commenter commented Jul 1, 2026

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.06%. Comparing base (ffbade9) to head (2c59dfd).
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@            Coverage Diff             @@
##           master    #7699      +/-   ##
==========================================
+ Coverage   42.05%   42.06%   +0.01%     
==========================================
  Files         879      879              
  Lines       54831    54835       +4     
==========================================
+ Hits        23059    23069      +10     
+ Misses      30026    30022       -4     
+ Partials     1746     1744       -2     
Flag Coverage Δ
unittests 42.06% <100.00%> (+0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated no new comments.

…antField

Signed-off-by: Anjali-Chauhan1 <anjalichauhan1036@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

kind/bug Categorizes issue or PR as related to a bug. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ServiceAccount pruning skips consecutive auto-generated token secrets in removeServiceAccountIrrelevantField

4 participants