Uploaded image for project: 'OpenShift BuildConfig'
  1. OpenShift BuildConfig

Refactor Rolebinding Controllers to align with Capabilities


    • 3
    • False
    • Hide


    • False
    • SECFLOWOTL-22 - OCP Capabilities: Disable Builder Service Account
    • 3
    • Pipeline Integrations #3253, Pipeline Integrations #3254

      Story (Required)

      As an OpenShift engineer trying to use capabilities to enable/disable the Build and DeploymentConfig systems, I want to refactor the default rolebindings controller so that each respective capability runs a separate controller.

      <Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer’s experience?>

      Background (Required)

      <Describes the context or background related to this story>

      OpenShift has a controller that automatically creates role-bindings for service accounts in every namespace. Though only one controller operates, its logic contains forks that are specific to the Build and DepoymentConfig systems.

      The goal is to refactor this into separate controllers so that individual ones can be disabled by the cluster-openshift-controller-manager-operator.

      Out of scope

      <Defines what is not included in this story>

      • Disabling the rolebindings controller via an operator.
      • Cleaning up rolebindings that are "orphaned" if the controller is disabled.

      Approach (Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>


      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      • API-1651 - this was refactoring work taken on by the apiserver/auth team.

      Acceptance Criteria (Mandatory)

      <Describe edge cases to consider when implementing the story and defining tests>

      <Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

      • Separate rolebinding controllers exist for the builder and deployer service account rolebindings.
      • Build and DeploymentConfig systems remain functional when the respective capability is enabled.
      • The "image puller" role binding must continue to be created/reconciled.

      INVEST Checklist

      Dependencies identified
      Blockers noted and expected delivery timelines set
      Design is implementable
      Acceptance criteria agreed upon
      Story estimated

      • Eng: 3



      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

            rh-ee-apjagtap Apoorva Jagtap
            adkaplan@redhat.com Adam Kaplan
            0 Vote for this issue
            2 Start watching this issue