Add option to patch all service accounts

Jiang Huan · Jiang Huan · commit da0e8e2a7152 · 2020-02-04T11:39:34.000+08:00
diff --git a/README.md b/README.md
@@ -5,10 +5,12 @@
 ![GitHub tag (latest SemVer)](https://img.shields.io/github/v/tag/titansoft-pte-ltd/imagepullsecret-patcher)
 ![GitHub issues](https://img.shields.io/github/issues/titansoft-pte-ltd/imagepullsecret-patcher)
 
-A simple Kubernetes [client-go](https://github.com/kubernetes/client-go) application that creates and patches imagePullSecrets to default service accounts in all Kubernetes namespaces to allow cluster-wide authenticated access to private container registry.
+A simple Kubernetes [client-go](https://github.com/kubernetes/client-go) application that creates and patches imagePullSecrets to service accounts in all Kubernetes namespaces to allow cluster-wide authenticated access to private container registry.
 
 ![screenshot](doc/screenshot.png)
 
+A blog post: https://medium.com/titansoft-engineering/kubernetes-cluster-wide-access-to-private-container-registry-with-imagepullsecret-patcher-b8b8fb79f7e5
+
 ## Installation and configuration
 
 To install imagepullsecret-patcher, can refer to [deploy-example](deploy-example) as a quick-start. 
@@ -19,6 +21,7 @@ Below is a table of available configurations:
 |-|-|-|-|-|
 | force | CONFIG_FORCE | -force | true | overwrite secrets when not match |
 | debug | CONFIG_DEBUG | -debug | false | show DEBUG logs |
+| all service account | CONFIG_ALLSERVICEACCOUNT | -allserviceaccount | false | if false, patch just default service account; if true, list and patch all service accounts |
 | dockerconfigjson | CONFIG_DOCKERCONFIGJSON | -dockerconfigjson | "" | json credential for authenicating container registry |
 | secret name | CONFIG_SECRETNAME | -secretname | "image-pull-secret" | name of managed secrets |
 
@@ -47,12 +50,6 @@ kubectl patch serviceaccount default \
 
 And it could be automated with a simple program like imagepullsecret-patcher.
 
-## How
-
-The imagepullsecret-patcher does two things: create a secret called `image-pull-secret` in all namespaces, and patch the `default` service accounts to use those secrets as imagePullSecrets.
-
-![flowchart](doc/IMAGEPULLSECRET-PATCHER-v0.x.png)
-
 ## Contribute
 
 Development Environment
diff --git a/deploy-example/kubernetes-manifest/2_deployment.yaml b/deploy-example/kubernetes-manifest/2_deployment.yaml
@@ -27,12 +27,14 @@ spec:
       serviceAccountName: imagepullsecret-patcher
       containers:
       - name: imagepullsecret-patcher
-        image: "quay.io/titansoft/imagepullsecret-patcher:v0.8"
+        image: "quay.io/titansoft/imagepullsecret-patcher:v0.9"
         env:
           - name: CONFIG_FORCE
             value: "true"
           - name: CONFIG_DEBUG
             value: "false"
+          - name: CONFIG_ALLSERVICEACCOUNT
+            value: "true"
           - name: CONFIG_DOCKERCONFIGJSON
             valueFrom:
               secretKeyRef:
diff --git a/go.sum b/go.sum
@@ -23,6 +23,7 @@ github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkg
 github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs=
 github.com/evanphx/json-patch v4.2.0+incompatible h1:fUDGZCv/7iAN7u0puUVhvKCcsR6vRfwrJatElLBEf0I=
 github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
+github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/go-logr/logr v0.1.0/go.mod h1:ixOQHD9gLJUVQQ2ZOR7zLEifBX6tGkNJF4QyIY7sIas=
@@ -43,6 +44,7 @@ github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
+github.com/google/go-cmp v0.3.0 h1:crn/baboCvb5fXaQ0IJ1SGTsTVrWpDsCWC8EGETZijY=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
@@ -57,6 +59,7 @@ github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEo
 github.com/gregjones/httpcache v0.0.0-20180305231024-9cad4c3443a7/go.mod h1:FecbI9+v66THATjSRHfNgh1IVFe/9kFxbXtjV0ctIMA=
 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
 github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/hpcloud/tail v1.0.0 h1:nfCOvKYfkgYP8hkirhJocXT2+zOD8yUNjXaWfTlyFKI=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
 github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/json-iterator/go v0.0.0-20180612202835-f2b4162afba3/go.mod h1:+SdeFBvtyEkXs7REEP0seUULqWtbJapLOCVDaaPEHmU=
@@ -65,9 +68,12 @@ github.com/json-iterator/go v1.1.8/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/u
 github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@@ -81,22 +87,27 @@ github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8m
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
 github.com/onsi/ginkgo v0.0.0-20170829012221-11459a886d9c/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.10.1 h1:q/mM8GF/n0shIN8SaAZ0V+jnLPzen6WIVZdiwrRlMlo=
 github.com/onsi/ginkgo v1.10.1/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
+github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
 github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
 github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
+github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v0.0.0-20151208002404-e3a8ff8ce365/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 golang.org/x/crypto v0.0.0-20190211182817-74369b46fc67/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4=
@@ -151,16 +162,20 @@ golang.org/x/tools v0.0.0-20190312170243-e65039ee4138/go.mod h1:LCzVGOaR6xXOjkQ3
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/appengine v1.5.0 h1:KxkO13IPW4Lslp2bz+KHP2E3gtFlrIGNThxkZQ3g+4c=
 google.golang.org/appengine v1.5.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190307195333-5fe7a883aa19/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/genproto v0.0.0-20190418145605-e7d98fc518a7/go.mod h1:VzzqZJRnGkLBvHegQrXjBqPurQTc5/KpmUdxsrq26oE=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33q108Sa+fhmuc+sWQYwY=
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
+gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ=
 gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw=
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
diff --git a/main.go b/main.go
@@ -14,10 +14,11 @@ import (
 )
 
 var (
-	configForce            bool   = true
-	configDebug            bool   = false
-	configDockerconfigjson string = ""
-	configSecretName       string = "image-pull-secret" // default to image-pull-secret
+	configForce             bool   = true
+	configDebug             bool   = false
+	configAllServiceAccount bool   = false
+	configDockerconfigjson  string = ""
+	configSecretName        string = "image-pull-secret" // default to image-pull-secret
 )
 
 type k8sClient struct {
@@ -28,6 +29,7 @@ func main() {
 	// parse flags
 	flag.BoolVar(&configForce, "force", LookUpEnvOrBool("CONFIG_FORCE", configForce), "force to overwrite secrets when not match")
 	flag.BoolVar(&configDebug, "debug", LookUpEnvOrBool("CONFIG_DEBUG", configDebug), "show DEBUG logs")
+	flag.BoolVar(&configAllServiceAccount, "allserviceaccount", LookUpEnvOrBool("CONFIG_ALLSERVICEACCOUNT", configAllServiceAccount), "if false, patch just default service account; if true, list and patch all service accounts")
 	flag.StringVar(&configDockerconfigjson, "dockerconfigjson", LookupEnvOrString("CONFIG_DOCKERCONFIGJSON", configDockerconfigjson), "json credential for authenicating container registry")
 	flag.StringVar(&configSecretName, "secretname", LookupEnvOrString("CONFIG_SECRETNAME", configSecretName), "set name of managed secrets")
 	flag.Parse()
@@ -120,22 +122,28 @@ func processSecret(k8s *k8sClient, namespace string) error {
 }
 
 func processServiceAccount(k8s *k8sClient, namespace string) error {
-	sa, err := k8s.clientset.CoreV1().ServiceAccounts(namespace).Get(defaultServiceAccountName, metav1.GetOptions{})
+	sas, err := k8s.clientset.CoreV1().ServiceAccounts(namespace).List(metav1.ListOptions{})
 	if err != nil {
-		return fmt.Errorf("[%s] Failed to get service account [%s]: %v", namespace, defaultServiceAccountName, err)
+		return fmt.Errorf("[%s] Failed to list service accounts: %v", namespace, err)
 	}
-	if includeImagePullSecret(sa, configSecretName) {
-		log.Debugf("[%s] ImagePullSecrets found", namespace)
-		return nil
-	}
-	patch, err := getPatchString(sa, configSecretName)
-	if err != nil {
-		return fmt.Errorf("[%s] Failed to get patch string: %v", namespace, err)
-	}
-	_, err = k8s.clientset.CoreV1().ServiceAccounts(namespace).Patch(defaultServiceAccountName, types.StrategicMergePatchType, patch)
-	if err != nil {
-		return fmt.Errorf("[%s] Failed to patch imagePullSecrets to service account [%s]: %v", namespace, defaultServiceAccountName, err)
+	for _, sa := range sas.Items {
+		if !configAllServiceAccount && sa.Name != defaultServiceAccountName {
+			log.Debugf("[%s] Skip non-default service account [%s]", namespace, sa.Name)
+			continue
+		}
+		if includeImagePullSecret(&sa, configSecretName) {
+			log.Debugf("[%s] ImagePullSecrets found", namespace)
+			continue
+		}
+		patch, err := getPatchString(&sa, configSecretName)
+		if err != nil {
+			return fmt.Errorf("[%s] Failed to get patch string: %v", namespace, err)
+		}
+		_, err = k8s.clientset.CoreV1().ServiceAccounts(namespace).Patch(sa.Name, types.StrategicMergePatchType, patch)
+		if err != nil {
+			return fmt.Errorf("[%s] Failed to patch imagePullSecrets to service account [%s]: %v", namespace, sa.Name, err)
+		}
+		log.Infof("[%s] Patched imagePullSecrets to service account [%s]", namespace, sa.Name)
 	}
-	log.Infof("[%s] Patched imagePullSecrets to service account [%s]", namespace, defaultServiceAccountName)
 	return nil
 }
diff --git a/main_test.go b/main_test.go
@@ -65,36 +65,60 @@ var testCasesProcessServiceAccount = []testCase{
 	{
 		name: "no image pull secret",
 		prepSteps: []step{
-			helperCreateServiceAccountWithoutImagePullSecret,
-			assertHasError(assertHasImagePullSecret(configSecretName)),
+			helperCreateServiceAccountWithoutImagePullSecret(defaultServiceAccountName),
+			assertHasError(assertHasImagePullSecret(configSecretName, defaultServiceAccountName)),
 		},
 		testSteps: []step{
 			processServiceAccountDefault,
-			assertHasImagePullSecret(configSecretName),
+			assertHasImagePullSecret(configSecretName, defaultServiceAccountName),
 		},
 	},
 	{
 		name: "has same image pull secret",
 		prepSteps: []step{
-			helperCreateServiceAccountWithImagePullSecret(configSecretName),
-			assertHasImagePullSecret(configSecretName),
+			helperCreateServiceAccountWithImagePullSecret(configSecretName, defaultServiceAccountName),
+			assertHasImagePullSecret(configSecretName, defaultServiceAccountName),
 		},
 		testSteps: []step{
 			processServiceAccountDefault,
-			assertHasImagePullSecret(configSecretName),
+			assertHasImagePullSecret(configSecretName, defaultServiceAccountName),
 		},
 	},
 	{
 		name: "has different image pull secret",
 		prepSteps: []step{
-			helperCreateServiceAccountWithImagePullSecret("other-secret"),
-			assertHasImagePullSecret("other-secret"),
-			assertHasError(assertHasImagePullSecret(configSecretName)),
+			helperCreateServiceAccountWithImagePullSecret("other-secret", defaultServiceAccountName),
+			assertHasImagePullSecret("other-secret", defaultServiceAccountName),
+			assertHasError(assertHasImagePullSecret(configSecretName, defaultServiceAccountName)),
 		},
 		testSteps: []step{
 			processServiceAccountDefault,
-			assertHasImagePullSecret("other-secret"),
-			assertHasImagePullSecret(configSecretName),
+			assertHasImagePullSecret("other-secret", defaultServiceAccountName),
+			assertHasImagePullSecret(configSecretName, defaultServiceAccountName),
+		},
+	},
+	{
+		name: "non-default service account - skip when allServiceAccount off",
+		prepSteps: []step{
+			helperAllServiceAccountOff,
+			helperCreateServiceAccountWithoutImagePullSecret("other-service-account"),
+			assertHasError(assertHasImagePullSecret(configSecretName, "other-service-account")),
+		},
+		testSteps: []step{
+			processServiceAccountDefault,
+			assertHasError(assertHasImagePullSecret(configSecretName, "other-service-account")),
+		},
+	},
+	{
+		name: "non-default service account - patch when allServiceAccount on",
+		prepSteps: []step{
+			helperAllServiceAccountOn,
+			helperCreateServiceAccountWithoutImagePullSecret("other-service-account"),
+			assertHasError(assertHasImagePullSecret(configSecretName, "other-service-account")),
+		},
+		testSteps: []step{
+			processServiceAccountDefault,
+			assertHasImagePullSecret(configSecretName, "other-service-account"),
 		},
 	},
 }
@@ -170,21 +194,23 @@ func helperCreateOpaqueSecret(k8s *k8sClient) error {
 	return err
 }
 
-func helperCreateServiceAccountWithoutImagePullSecret(k8s *k8sClient) error {
-	_, err := k8s.clientset.CoreV1().ServiceAccounts(v1.NamespaceDefault).Create(&v1.ServiceAccount{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      defaultServiceAccountName,
-			Namespace: v1.NamespaceDefault,
-		},
-	})
-	return err
+func helperCreateServiceAccountWithoutImagePullSecret(serviceAccountName string) step {
+	return func(k8s *k8sClient) error {
+		_, err := k8s.clientset.CoreV1().ServiceAccounts(v1.NamespaceDefault).Create(&v1.ServiceAccount{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      serviceAccountName,
+				Namespace: v1.NamespaceDefault,
+			},
+		})
+		return err
+	}
 }
 
-func helperCreateServiceAccountWithImagePullSecret(secretName string) step {
+func helperCreateServiceAccountWithImagePullSecret(secretName, serviceAccountName string) step {
 	return func(k8s *k8sClient) error {
 		_, err := k8s.clientset.CoreV1().ServiceAccounts(v1.NamespaceDefault).Create(&v1.ServiceAccount{
 			ObjectMeta: metav1.ObjectMeta{
-				Name:      defaultServiceAccountName,
+				Name:      serviceAccountName,
 				Namespace: v1.NamespaceDefault,
 			},
 			ImagePullSecrets: []v1.LocalObjectReference{
@@ -207,6 +233,16 @@ func helperForceOff(_ *k8sClient) error {
 	return nil
 }
 
+func helperAllServiceAccountOn(_ *k8sClient) error {
+	configAllServiceAccount = true
+	return nil
+}
+
+func helperAllServiceAccountOff(_ *k8sClient) error {
+	configAllServiceAccount = false
+	return nil
+}
+
 // a set of assertion functions
 func assertNoSecret(k8s *k8sClient) error {
 	_, err := k8s.clientset.CoreV1().Secrets(v1.NamespaceDefault).Get(configSecretName, metav1.GetOptions{})
@@ -250,9 +286,9 @@ func assertHasError(fn step) step {
 	}
 }
 
-func assertHasImagePullSecret(secretName string) step {
+func assertHasImagePullSecret(secretName, serviceAccountName string) step {
 	return func(k8s *k8sClient) error {
-		sa, err := k8s.clientset.CoreV1().ServiceAccounts(v1.NamespaceDefault).Get(defaultServiceAccountName, metav1.GetOptions{})
+		sa, err := k8s.clientset.CoreV1().ServiceAccounts(v1.NamespaceDefault).Get(serviceAccountName, metav1.GetOptions{})
 		if err != nil {
 			return err
 		}
