Loading...

XML

Word

Printable

Details

Type: Story
Resolution: Won't Do
Priority: Undefined
Fix Version/s: None
Affects Version/s: None
Component/s: shared-resources
Labels:
- no-doc
- no-px
- no-qe
- refined

Blocked:
False
Ready:
False
Epic Link:
Shared Resources: Beta

SFDC Cases Links:
SFDC Cases Counter:

Description

Spike User Stories

As a developer building applications on OpenShift
I want to have access to RHEL subscription content in builds
So that I can install RPMs in my application which require a Red Hat subscription

As a cluster admin with 3rd party tenant users
I do not want to expose my RHEL content access certificate to users
So that third parties use my certificate to access RHEL content in violation of our contract with Red Hat.

As a cluster administrator
I want to control which namespaces and service accounts have access to the RHEL content access certificate
So that only users with permission to consume RHEL content can do so.

Acceptance Criteria

Answer the following:

1. Should we have a well known `SharedSecret` which is created along with the cluster simple content access certificate? Not by default, this should require some form of config to be set to true.
2. Should there be default RBAC associated with this `SharedSecret`? For instance, should all `builder` service accounts have permission to use the well known `SharedSecret`? Not by default, though there should be some form of config to set this to true.
3. If yes to 1 and 2, which component(s) should be responsible for creating the well known secret and associated RBAC? TBD, likely a combination of the Insights Operator and openshift-controller-manager-operator.

We need to update our EPs for subscription content access so the process is clear and coherent.

Docs Impact

None

PX Impact

None

QE Impact

None

Notes

Some customers run OpenShift as a service for other users (multi-tenant). Their entitlement should not be shared by default since the entitlement does not belong to the end user.

The creation of the `SharedSecret` that exposes the simple content access certificate should be a day 2 action. Similar story with creating the RBAC for all builder service accounts. The Insights operator has configuration which prevents the downloading of the SCA certificate - this is something we can take advantage of or build on top of.

Safest course is to ensure that this capability is opt-in. The global opt in process should be simple - for example, changing an OpenShift cluster config API.
We should also have a "plan B" approach where service accounts can opt into using the SharedSecret on a namespace/service account level.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Adam Kaplan

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2021/10/19 1:43 PM

Updated:: 2024/03/06 1:37 PM

Resolved:: 2023/08/14 6:24 PM