Cluster image scanning does not work with non-default namespace or service account

Why are we doing this work

With the completion of gitlab-org/cluster-integration/gitlab-agent!630 (merged), the GitLab agent is now able to run vulnerability scans. Currently, it is hard-coded to run the jobs within the gitlab-agent namespace, using the gitlab-agent service account. This namespace and service account are created when using the default installation method, but it is possible for the user to customize it and choose different namespaces and service accounts. We need to fix this so that it still works when these configurations are changed.

Relevant links

Another tricky behavior was noticed after first writing this issue (emphasis mine - copied from #350232 (comment 992999651)):

When verifying, I first encountered this error:

{"level":"error","time":"2022-06-15T17:02:00.902Z","msg":"Failed to perform vulnerability scan on workload","mod_name":"starboard_vulnerability","error":"getting service account by name: gitlab-agent/gitlab-agent: serviceaccounts \"gitlab-agent\" not found"}

It appears that the default service account name is no longer gitlab-agent. Instead, it is [agent name]-gitlab-agent (code). To workaround this, you can either do kubectl create serviceaccount gitlab-agent -n gitlab-agent, or pass --set serviceAccount.name=gitlab-agent to the helm command when installing the agent. @thiagocsf This may be good reason to prioritize #361972 (closed), as the vulnerability scanning no longer works out of the box.

Non-functional requirements

• Documentation:
  • Adjust or remove as needed !90520 (merged)
• Feature flag:
• Performance:
• Testing:

Implementation Plan

• Chart: We can already read the namespace the agent pods run in from the POD_NAMESPACE environment variable. To determine the service account likewise, we need to add a SERVICE_ACCOUNT_NAME env var to deployment.yaml:

diff --git a/templates/deployment.yaml b/templates/deployment.yaml
@@ -61,6 +61,10 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.name
+            - name: SERVICE_ACCOUNT_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.serviceAccountName
           {{- if .Values.extraEnv }}
             {{- toYaml .Values.extraEnv | nindent 12 }}
           {{- end }}

• Agent: In our agent's factory.go, we need to read these variables instead of hardcoding namespace and service account name. If SERVICE_ACCOUNT_NAME is unset, we fall back to the current gitlab-agent value.

• documentation: Remove workaround from agent troubleshooting docs (revert !90520 (merged))

Verification steps