From a80fa243fd1bf59d811b9e27d266da007cdd3175 Mon Sep 17 00:00:00 2001
From: Frederic Branczyk <fbranczyk@gmail.com>
Date: Thu, 4 Mar 2021 17:00:48 +0100
Subject: [PATCH] *: Add non-default service accounts to all components

Signed-off-by: Frederic Branczyk <fbranczyk@gmail.com>
---
 CHANGELOG.md                                  |  3 +-
 all.jsonnet                                   | 10 +--
 .../manifests/store-shard0-statefulSet.yaml   |  1 +
 .../manifests/store-shard1-statefulSet.yaml   |  1 +
 .../manifests/store-shard2-statefulSet.yaml   |  1 +
 .../manifests/thanos-bucket-deployment.yaml   |  1 +
 .../thanos-bucket-serviceAccount.yaml         | 10 +++
 .../thanos-compact-serviceAccount.yaml        | 10 +++
 .../manifests/thanos-compact-statefulSet.yaml |  1 +
 .../thanos-query-frontend-deployment.yaml     |  1 +
 .../thanos-query-frontend-serviceAccount.yaml | 10 +++
 .../thanos-receive-default-statefulSet.yaml   |  1 +
 .../thanos-receive-region-1-statefulSet.yaml  |  1 +
 .../thanos-receive-serviceAccount.yaml        | 10 +++
 .../manifests/thanos-receive-statefulSet.yaml |  1 +
 .../manifests/thanos-rule-serviceAccount.yaml | 10 +++
 .../manifests/thanos-rule-statefulSet.yaml    |  1 +
 .../thanos-store-serviceAccount.yaml          | 10 +++
 .../manifests/thanos-store-statefulSet.yaml   |  1 +
 .../kube-thanos/kube-thanos-bucket.libsonnet  | 11 +++
 .../kube-thanos/kube-thanos-compact.libsonnet | 11 +++
 .../kube-thanos-query-frontend.libsonnet      | 11 +++
 .../kube-thanos-receive-hashrings.libsonnet   | 70 ++++++++++++-------
 .../kube-thanos/kube-thanos-receive.libsonnet | 11 +++
 .../kube-thanos/kube-thanos-rule.libsonnet    | 11 +++
 .../kube-thanos-store-shards.libsonnet        | 14 ++++
 .../kube-thanos/kube-thanos-store.libsonnet   | 11 +++
 manifests/thanos-store-serviceAccount.yaml    | 10 +++
 manifests/thanos-store-statefulSet.yaml       |  1 +
 29 files changed, 212 insertions(+), 33 deletions(-)
 create mode 100644 examples/all/manifests/thanos-bucket-serviceAccount.yaml
 create mode 100644 examples/all/manifests/thanos-compact-serviceAccount.yaml
 create mode 100644 examples/all/manifests/thanos-query-frontend-serviceAccount.yaml
 create mode 100644 examples/all/manifests/thanos-receive-serviceAccount.yaml
 create mode 100644 examples/all/manifests/thanos-rule-serviceAccount.yaml
 create mode 100644 examples/all/manifests/thanos-store-serviceAccount.yaml
 create mode 100644 manifests/thanos-store-serviceAccount.yaml

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f849758c..9b42487f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,10 +16,11 @@ We use *breaking* word for marking changes that are not backward compatible (rel
 ### Breaking Changes
 
 - [#188](https://github.com/thanos-io/kube-thanos/pull/188) Single ServiceMonitor for store shards
+- [#196](https://github.com/thanos-io/kube-thanos/pull/196) Single ServiceAccount for all hashrings, causing hashrings position in the object tree to change.
 
 ### Changed
 
--
+- [#196](https://github.com/thanos-io/kube-thanos/pull/196) Single ServiceAccount for each component.
 
 ### Added
 
diff --git a/all.jsonnet b/all.jsonnet
index e637b7a3..a9588841 100644
--- a/all.jsonnet
+++ b/all.jsonnet
@@ -192,7 +192,7 @@ local finalQ = t.query(q.config {
   stores: [
     'dnssrv+_grpc._tcp.%s.%s.svc.cluster.local' % [service.metadata.name, service.metadata.namespace]
     for service in [re.service, ru.service, s.service] +
-                   [rcvs[hashring].service for hashring in std.objectFields(rcvs)] +
+                   [rcvs.hashrings[hashring].service for hashring in std.objectFields(rcvs.hashrings)] +
                    [strs.shards[shard].service for shard in std.objectFields(strs.shards)]
   ],
 });
@@ -205,10 +205,10 @@ local finalQ = t.query(q.config {
 { ['thanos-query-' + name]: finalQ[name] for name in std.objectFields(finalQ) } +
 { ['thanos-query-frontend-' + name]: qf[name] for name in std.objectFields(qf) } +
 {
-  ['thanos-receive-' + hashring + '-' + name]: rcvs[hashring][name]
-  for hashring in std.objectFields(rcvs)
-  for name in std.objectFields(rcvs[hashring])
-  if rcvs[hashring][name] != null
+  ['thanos-receive-' + hashring + '-' + name]: rcvs.hashrings[hashring][name]
+  for hashring in std.objectFields(rcvs.hashrings)
+  for name in std.objectFields(rcvs.hashrings[hashring])
+  if rcvs.hashrings[hashring][name] != null
 } +
 {
   ['store-' + shard + '-' + name]: strs.shards[shard][name]
diff --git a/examples/all/manifests/store-shard0-statefulSet.yaml b/examples/all/manifests/store-shard0-statefulSet.yaml
index e93e395c..cb5d8ed8 100644
--- a/examples/all/manifests/store-shard0-statefulSet.yaml
+++ b/examples/all/manifests/store-shard0-statefulSet.yaml
@@ -144,6 +144,7 @@ spec:
         - mountPath: /var/thanos/store
           name: data
           readOnly: false
+      serviceAccountName: thanos-store
       terminationGracePeriodSeconds: 120
       volumes: []
   volumeClaimTemplates:
diff --git a/examples/all/manifests/store-shard1-statefulSet.yaml b/examples/all/manifests/store-shard1-statefulSet.yaml
index 7022a79b..2cded164 100644
--- a/examples/all/manifests/store-shard1-statefulSet.yaml
+++ b/examples/all/manifests/store-shard1-statefulSet.yaml
@@ -144,6 +144,7 @@ spec:
         - mountPath: /var/thanos/store
           name: data
           readOnly: false
+      serviceAccountName: thanos-store
       terminationGracePeriodSeconds: 120
       volumes: []
   volumeClaimTemplates:
diff --git a/examples/all/manifests/store-shard2-statefulSet.yaml b/examples/all/manifests/store-shard2-statefulSet.yaml
index a45d13e8..abe66900 100644
--- a/examples/all/manifests/store-shard2-statefulSet.yaml
+++ b/examples/all/manifests/store-shard2-statefulSet.yaml
@@ -144,6 +144,7 @@ spec:
         - mountPath: /var/thanos/store
           name: data
           readOnly: false
+      serviceAccountName: thanos-store
       terminationGracePeriodSeconds: 120
       volumes: []
   volumeClaimTemplates:
diff --git a/examples/all/manifests/thanos-bucket-deployment.yaml b/examples/all/manifests/thanos-bucket-deployment.yaml
index 5736af0e..de5f81c8 100644
--- a/examples/all/manifests/thanos-bucket-deployment.yaml
+++ b/examples/all/manifests/thanos-bucket-deployment.yaml
@@ -70,4 +70,5 @@ spec:
             cpu: 0.123
             memory: 123Mi
         terminationMessagePolicy: FallbackToLogsOnError
+      serviceAccountName: thanos-bucket
       terminationGracePeriodSeconds: 120
diff --git a/examples/all/manifests/thanos-bucket-serviceAccount.yaml b/examples/all/manifests/thanos-bucket-serviceAccount.yaml
new file mode 100644
index 00000000..1a2fc5dd
--- /dev/null
+++ b/examples/all/manifests/thanos-bucket-serviceAccount.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: object-store-bucket-debugging
+    app.kubernetes.io/instance: thanos-bucket
+    app.kubernetes.io/name: thanos-bucket
+    app.kubernetes.io/version: v0.17.2
+  name: thanos-bucket
+  namespace: thanos
diff --git a/examples/all/manifests/thanos-compact-serviceAccount.yaml b/examples/all/manifests/thanos-compact-serviceAccount.yaml
new file mode 100644
index 00000000..dd697bb7
--- /dev/null
+++ b/examples/all/manifests/thanos-compact-serviceAccount.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: database-compactor
+    app.kubernetes.io/instance: thanos-compact
+    app.kubernetes.io/name: thanos-compact
+    app.kubernetes.io/version: v0.17.2
+  name: thanos-compact
+  namespace: thanos
diff --git a/examples/all/manifests/thanos-compact-statefulSet.yaml b/examples/all/manifests/thanos-compact-statefulSet.yaml
index 18be7c7a..382006c3 100644
--- a/examples/all/manifests/thanos-compact-statefulSet.yaml
+++ b/examples/all/manifests/thanos-compact-statefulSet.yaml
@@ -83,6 +83,7 @@ spec:
         - mountPath: /var/thanos/compact
           name: data
           readOnly: false
+      serviceAccountName: thanos-compact
       terminationGracePeriodSeconds: 120
       volumes: []
   volumeClaimTemplates:
diff --git a/examples/all/manifests/thanos-query-frontend-deployment.yaml b/examples/all/manifests/thanos-query-frontend-deployment.yaml
index 0baabaf4..771c6267 100644
--- a/examples/all/manifests/thanos-query-frontend-deployment.yaml
+++ b/examples/all/manifests/thanos-query-frontend-deployment.yaml
@@ -107,4 +107,5 @@ spec:
             cpu: 0.123
             memory: 123Mi
         terminationMessagePolicy: FallbackToLogsOnError
+      serviceAccountName: thanos-query-frontend
       terminationGracePeriodSeconds: 120
diff --git a/examples/all/manifests/thanos-query-frontend-serviceAccount.yaml b/examples/all/manifests/thanos-query-frontend-serviceAccount.yaml
new file mode 100644
index 00000000..e92cd816
--- /dev/null
+++ b/examples/all/manifests/thanos-query-frontend-serviceAccount.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: query-cache
+    app.kubernetes.io/instance: thanos-query-frontend
+    app.kubernetes.io/name: thanos-query-frontend
+    app.kubernetes.io/version: v0.17.2
+  name: thanos-query-frontend
+  namespace: thanos
diff --git a/examples/all/manifests/thanos-receive-default-statefulSet.yaml b/examples/all/manifests/thanos-receive-default-statefulSet.yaml
index 67133198..1075a0cf 100644
--- a/examples/all/manifests/thanos-receive-default-statefulSet.yaml
+++ b/examples/all/manifests/thanos-receive-default-statefulSet.yaml
@@ -134,6 +134,7 @@ spec:
           readOnly: false
         - mountPath: /var/lib/thanos-receive
           name: hashring-config
+      serviceAccountName: thanos-receive
       terminationGracePeriodSeconds: 900
       volumes:
       - configMap:
diff --git a/examples/all/manifests/thanos-receive-region-1-statefulSet.yaml b/examples/all/manifests/thanos-receive-region-1-statefulSet.yaml
index 6a39ac34..44bf8031 100644
--- a/examples/all/manifests/thanos-receive-region-1-statefulSet.yaml
+++ b/examples/all/manifests/thanos-receive-region-1-statefulSet.yaml
@@ -134,6 +134,7 @@ spec:
           readOnly: false
         - mountPath: /var/lib/thanos-receive
           name: hashring-config
+      serviceAccountName: thanos-receive
       terminationGracePeriodSeconds: 900
       volumes:
       - configMap:
diff --git a/examples/all/manifests/thanos-receive-serviceAccount.yaml b/examples/all/manifests/thanos-receive-serviceAccount.yaml
new file mode 100644
index 00000000..fc509bc3
--- /dev/null
+++ b/examples/all/manifests/thanos-receive-serviceAccount.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: database-write-hashring
+    app.kubernetes.io/instance: thanos-receive
+    app.kubernetes.io/name: thanos-receive
+    app.kubernetes.io/version: v0.17.2
+  name: thanos-receive
+  namespace: thanos
diff --git a/examples/all/manifests/thanos-receive-statefulSet.yaml b/examples/all/manifests/thanos-receive-statefulSet.yaml
index 7b3f34e2..1596e117 100644
--- a/examples/all/manifests/thanos-receive-statefulSet.yaml
+++ b/examples/all/manifests/thanos-receive-statefulSet.yaml
@@ -130,6 +130,7 @@ spec:
           readOnly: false
         - mountPath: /var/lib/thanos-receive
           name: hashring-config
+      serviceAccountName: thanos-receive
       terminationGracePeriodSeconds: 900
       volumes:
       - configMap:
diff --git a/examples/all/manifests/thanos-rule-serviceAccount.yaml b/examples/all/manifests/thanos-rule-serviceAccount.yaml
new file mode 100644
index 00000000..af4d793a
--- /dev/null
+++ b/examples/all/manifests/thanos-rule-serviceAccount.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: rule-evaluation-engine
+    app.kubernetes.io/instance: thanos-rule
+    app.kubernetes.io/name: thanos-rule
+    app.kubernetes.io/version: v0.17.2
+  name: thanos-rule
+  namespace: thanos
diff --git a/examples/all/manifests/thanos-rule-statefulSet.yaml b/examples/all/manifests/thanos-rule-statefulSet.yaml
index 95cae558..83827a89 100644
--- a/examples/all/manifests/thanos-rule-statefulSet.yaml
+++ b/examples/all/manifests/thanos-rule-statefulSet.yaml
@@ -90,6 +90,7 @@ spec:
           readOnly: false
         - mountPath: /etc/thanos/rules/test
           name: test
+      serviceAccountName: thanos-rule
       volumes:
       - configMap:
           name: test
diff --git a/examples/all/manifests/thanos-store-serviceAccount.yaml b/examples/all/manifests/thanos-store-serviceAccount.yaml
new file mode 100644
index 00000000..a6e4dc95
--- /dev/null
+++ b/examples/all/manifests/thanos-store-serviceAccount.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: object-store-gateway
+    app.kubernetes.io/instance: thanos-store
+    app.kubernetes.io/name: thanos-store
+    app.kubernetes.io/version: v0.17.2
+  name: thanos-store
+  namespace: thanos
diff --git a/examples/all/manifests/thanos-store-statefulSet.yaml b/examples/all/manifests/thanos-store-statefulSet.yaml
index ab4d0833..7e4493c0 100644
--- a/examples/all/manifests/thanos-store-statefulSet.yaml
+++ b/examples/all/manifests/thanos-store-statefulSet.yaml
@@ -132,6 +132,7 @@ spec:
         - mountPath: /var/thanos/store
           name: data
           readOnly: false
+      serviceAccountName: thanos-store
       terminationGracePeriodSeconds: 120
       volumes: []
   volumeClaimTemplates:
diff --git a/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet b/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet
index aa1da25d..def27e78 100644
--- a/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-bucket.libsonnet
@@ -63,6 +63,16 @@ function(params) {
     },
   },
 
+  serviceAccount: {
+    apiVersion: 'v1',
+    kind: 'ServiceAccount',
+    metadata: {
+      name: tb.config.name,
+      namespace: tb.config.namespace,
+      labels: tb.config.commonLabels,
+    },
+  },
+
   deployment:
     local container = {
       name: 'thanos-bucket',
@@ -119,6 +129,7 @@ function(params) {
         template: {
           metadata: { labels: tb.config.commonLabels },
           spec: {
+            serviceAccountName: tb.serviceAccount.metadata.name,
             containers: [container],
             terminationGracePeriodSeconds: 120,
           },
diff --git a/jsonnet/kube-thanos/kube-thanos-compact.libsonnet b/jsonnet/kube-thanos/kube-thanos-compact.libsonnet
index 6f07d611..e1204ea1 100644
--- a/jsonnet/kube-thanos/kube-thanos-compact.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-compact.libsonnet
@@ -74,6 +74,16 @@ function(params) {
     },
   },
 
+  serviceAccount: {
+    apiVersion: 'v1',
+    kind: 'ServiceAccount',
+    metadata: {
+      name: tc.config.name,
+      namespace: tc.config.namespace,
+      labels: tc.config.commonLabels,
+    },
+  },
+
   statefulSet:
     local c = {
       name: 'thanos-compact',
@@ -151,6 +161,7 @@ function(params) {
             labels: tc.config.commonLabels,
           },
           spec: {
+            serviceAccountName: tc.serviceAccount.metadata.name,
             containers: [c],
             volumes: [],
             terminationGracePeriodSeconds: 120,
diff --git a/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet b/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet
index 8451058c..81b18930 100644
--- a/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-query-frontend.libsonnet
@@ -119,6 +119,16 @@ function(params) {
     },
   },
 
+  serviceAccount: {
+    apiVersion: 'v1',
+    kind: 'ServiceAccount',
+    metadata: {
+      name: tqf.config.name,
+      namespace: tqf.config.namespace,
+      labels: tqf.config.commonLabels,
+    },
+  },
+
   deployment:
     local c = {
       name: 'thanos-query-frontend',
@@ -187,6 +197,7 @@ function(params) {
           metadata: { labels: tqf.config.commonLabels },
           spec: {
             containers: [c],
+            serviceAccountName: tqf.serviceAccount.metadata.name,
             terminationGracePeriodSeconds: 120,
             affinity: { podAntiAffinity: {
               preferredDuringSchedulingIgnoredDuringExecution: [{
diff --git a/jsonnet/kube-thanos/kube-thanos-receive-hashrings.libsonnet b/jsonnet/kube-thanos/kube-thanos-receive-hashrings.libsonnet
index 4299f84d..56dff263 100644
--- a/jsonnet/kube-thanos/kube-thanos-receive-hashrings.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-receive-hashrings.libsonnet
@@ -19,36 +19,52 @@ function(params)
   assert std.isArray(config.hashrings) : 'thanos receive hashrings has to be an array';
 
   { config:: config } + {
-    [h.hashring]: receive(config {
-      name+: '-' + h.hashring,
-      commonLabels+:: {
-        'controller.receive.thanos.io/hashring': h.hashring,
+    local allHashrings = self,
+
+    serviceAccount: {
+      apiVersion: 'v1',
+      kind: 'ServiceAccount',
+      metadata: {
+        name: config.name,
+        namespace: config.namespace,
+        labels: config.commonLabels,
       },
-    }) {
-      local receiver = self,
-      podDisruptionBudget:: {},  // hide this object, we don't want it
-      statefulSet+: {
-        metadata+: {
-          labels+: {
-            'controller.receive.thanos.io': 'thanos-receive-controller',
-          },
+    },
+    hashrings: {
+      [h.hashring]: receive(config {
+        name+: '-' + h.hashring,
+        commonLabels+:: {
+          'controller.receive.thanos.io/hashring': h.hashring,
         },
-        spec+: {
-          template+: {
-            spec+: {
-              containers: [
-                if c.name == 'thanos-receive' then c {
-                  env+: if std.objectHas(receiver.config, 'debug') && receiver.config.debug != '' then [
-                    { name: 'DEBUG', value: receiver.config.debug },
-                  ] else [],
-                }
-                else c
-                for c in super.containers
-              ],
+      }) {
+        local receiver = self,
+
+        serviceAccount: null,  // one service account for all stores
+        podDisruptionBudget:: {},  // hide this object, we don't want it
+        statefulSet+: {
+          metadata+: {
+            labels+: {
+              'controller.receive.thanos.io': 'thanos-receive-controller',
+            },
+          },
+          spec+: {
+            template+: {
+              spec+: {
+                serviceAccountName: allHashrings.serviceAccount.metadata.name,
+                containers: [
+                  if c.name == 'thanos-receive' then c {
+                    env+: if std.objectHas(receiver.config, 'debug') && receiver.config.debug != '' then [
+                      { name: 'DEBUG', value: receiver.config.debug },
+                    ] else [],
+                  }
+                  else c
+                  for c in super.containers
+                ],
+              },
             },
           },
         },
-      },
-    }
-    for h in config.hashrings
+      }
+      for h in config.hashrings
+    },
   }
diff --git a/jsonnet/kube-thanos/kube-thanos-receive.libsonnet b/jsonnet/kube-thanos/kube-thanos-receive.libsonnet
index 82156754..495d03cf 100644
--- a/jsonnet/kube-thanos/kube-thanos-receive.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-receive.libsonnet
@@ -37,6 +37,16 @@ function(params) {
     },
   },
 
+  serviceAccount: {
+    apiVersion: 'v1',
+    kind: 'ServiceAccount',
+    metadata: {
+      name: tr.config.name,
+      namespace: tr.config.namespace,
+      labels: tr.config.commonLabels,
+    },
+  },
+
   statefulSet:
     local localEndpointFlag = '--receive.local-endpoint=$(NAME).%s.$(NAMESPACE).svc.cluster.local:%d' % [
       tr.config.name,
@@ -128,6 +138,7 @@ function(params) {
             labels: tr.config.commonLabels,
           },
           spec: {
+            serviceAccountName: tr.serviceAccount.metadata.name,
             containers: [c],
             volumes: if tr.config.hashringConfigMapName != '' then [{
               name: 'hashring-config',
diff --git a/jsonnet/kube-thanos/kube-thanos-rule.libsonnet b/jsonnet/kube-thanos/kube-thanos-rule.libsonnet
index 25e657d1..a6c92d77 100644
--- a/jsonnet/kube-thanos/kube-thanos-rule.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-rule.libsonnet
@@ -76,6 +76,16 @@ function(params) {
     },
   },
 
+  serviceAccount: {
+    apiVersion: 'v1',
+    kind: 'ServiceAccount',
+    metadata: {
+      name: tr.config.name,
+      namespace: tr.config.namespace,
+      labels: tr.config.commonLabels,
+    },
+  },
+
   statefulSet:
     local c = {
       name: 'thanos-rule',
@@ -161,6 +171,7 @@ function(params) {
             labels: tr.config.commonLabels,
           },
           spec: {
+            serviceAccountName: tr.serviceAccount.metadata.name,
             containers: [c],
             volumes: [
               { name: ruleConfig.name, configMap: { name: ruleConfig.name } }
diff --git a/jsonnet/kube-thanos/kube-thanos-store-shards.libsonnet b/jsonnet/kube-thanos/kube-thanos-store-shards.libsonnet
index b51ac157..fdfb8fd8 100644
--- a/jsonnet/kube-thanos/kube-thanos-store-shards.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-store-shards.libsonnet
@@ -16,15 +16,29 @@ function(params)
   assert std.isNumber(config.shards) && config.shards >= 0 : 'thanos store shards has to be number >= 0';
 
   { config:: config } + {
+    local allShards = self,
+
+    serviceAccount: {
+      apiVersion: 'v1',
+      kind: 'ServiceAccount',
+      metadata: {
+        name: config.name,
+        namespace: config.namespace,
+        labels: config.commonLabels,
+      },
+    },
+
     shards: {
       ['shard' + i]: store(config {
         name+: '-%d' % i,
         commonLabels+:: { 'store.observatorium.io/shard': 'shard-' + i },
       }) {
+        serviceAccount: null,  // one service account for all stores
         statefulSet+: {
           spec+: {
             template+: {
               spec+: {
+                serviceAccountName: allShards.serviceAccount.metadata.name,
                 containers: [
                   if c.name == 'thanos-store' then c {
                     args+: [
diff --git a/jsonnet/kube-thanos/kube-thanos-store.libsonnet b/jsonnet/kube-thanos/kube-thanos-store.libsonnet
index cc2b236e..af05bff2 100644
--- a/jsonnet/kube-thanos/kube-thanos-store.libsonnet
+++ b/jsonnet/kube-thanos/kube-thanos-store.libsonnet
@@ -51,6 +51,16 @@ function(params) {
     },
   },
 
+  serviceAccount: {
+    apiVersion: 'v1',
+    kind: 'ServiceAccount',
+    metadata: {
+      name: ts.config.name,
+      namespace: ts.config.namespace,
+      labels: ts.config.commonLabels,
+    },
+  },
+
   statefulSet:
     local c = {
       name: 'thanos-store',
@@ -125,6 +135,7 @@ function(params) {
             labels: ts.config.commonLabels,
           },
           spec: {
+            serviceAccountName: ts.serviceAccount.metadata.name,
             containers: [c],
             volumes: [],
             terminationGracePeriodSeconds: 120,
diff --git a/manifests/thanos-store-serviceAccount.yaml b/manifests/thanos-store-serviceAccount.yaml
new file mode 100644
index 00000000..a6e4dc95
--- /dev/null
+++ b/manifests/thanos-store-serviceAccount.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/component: object-store-gateway
+    app.kubernetes.io/instance: thanos-store
+    app.kubernetes.io/name: thanos-store
+    app.kubernetes.io/version: v0.17.2
+  name: thanos-store
+  namespace: thanos
diff --git a/manifests/thanos-store-statefulSet.yaml b/manifests/thanos-store-statefulSet.yaml
index 3921a409..f615d11e 100644
--- a/manifests/thanos-store-statefulSet.yaml
+++ b/manifests/thanos-store-statefulSet.yaml
@@ -85,6 +85,7 @@ spec:
         - mountPath: /var/thanos/store
           name: data
           readOnly: false
+      serviceAccountName: thanos-store
       terminationGracePeriodSeconds: 120
       volumes: []
   volumeClaimTemplates: