fix(operator): scope SA token automount to kubernetes-namespaced auth only

Ambient Code Bot · claude · Ambient Code Bot · commit ad3c68c5dd7c · 2026-04-09T18:54:35.000Z
- Only enable ServiceAccount token automount and per-session SA when MLFLOW_TRACKING_AUTH is "kubernetes-namespaced" (read from the copied secret), not for all MLflow-secret sessions. This avoids granting an unnecessary namespace-scoped token to sessions using other auth methods. - Remove duplicate MLFLOW_TRACKING_AUTH env var entry. Addresses CodeRabbit review on PR #1263. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/components/operator/internal/handlers/sessions.go b/components/operator/internal/handlers/sessions.go
@@ -581,6 +581,7 @@ func handleAgenticSessionEvent(obj *unstructured.Unstructured) error {
 	}
 
 	ambientMlflowObsSecretCopied := false
+	mlflowK8sAuth := false
 	mlflowTracingEnabled := os.Getenv("MLFLOW_TRACING_ENABLED") != "" && os.Getenv("MLFLOW_TRACING_ENABLED") != "0" && os.Getenv("MLFLOW_TRACING_ENABLED") != "false"
 
 	if mlflowTracingEnabled {
@@ -593,6 +594,9 @@ func handleAgenticSessionEvent(obj *unstructured.Unstructured) error {
 				log.Printf("Warning: Failed to copy MLflow observability secret: %v. MLflow tracing will be disabled for this session.", err)
 			} else {
 				ambientMlflowObsSecretCopied = true
+				if authVal, ok := mlflowSecret.Data["MLFLOW_TRACKING_AUTH"]; ok && string(authVal) == "kubernetes-namespaced" {
+					mlflowK8sAuth = true
+				}
 				log.Printf("Successfully copied %s to %s", mlflowObsSecretName, sessionNamespace)
 			}
 		} else if !errors.IsNotFound(err) {
@@ -886,7 +890,7 @@ func handleAgenticSessionEvent(obj *unstructured.Unstructured) error {
 	// Create the Pod directly (no Job wrapper for faster startup)
 	runnerSATokenAutomount := false
 	var runnerPodSAName string
-	if ambientMlflowObsSecretCopied {
+	if ambientMlflowObsSecretCopied && mlflowK8sAuth {
 		// MLflow MLFLOW_TRACKING_AUTH=kubernetes-namespaced reads token + namespace from
 		// /var/run/secrets/kubernetes.io/serviceaccount/ (requires automount + session SA).
 		runnerSATokenAutomount = true
@@ -1176,16 +1180,6 @@ func handleAgenticSessionEvent(obj *unstructured.Unstructured) error {
 								},
 							},
 						},
-						corev1.EnvVar{
-							Name: "MLFLOW_TRACKING_AUTH",
-							ValueFrom: &corev1.EnvVarSource{
-								SecretKeyRef: &corev1.SecretKeySelector{
-									LocalObjectReference: corev1.LocalObjectReference{Name: mlflowObsSecretName},
-									Key:                  "MLFLOW_TRACKING_AUTH",
-									Optional:             boolPtr(true),
-								},
-							},
-						},
 						corev1.EnvVar{
 							Name: "MLFLOW_WORKSPACE",
 							ValueFrom: &corev1.EnvVarSource{
