-
Story
-
Resolution: Done
-
Blocker
-
openshift-4.15
-
3
-
False
-
-
False
-
SECFLOWOTL-22 - OCP Capabilities: Disable Builder Service Account
-
-
-
3
-
Pipeline Integrations #3253, Pipeline Integrations #3254
Story (Required)
As an OpenShift engineer trying to use capabilities to enable/disable the Build and DeploymentConfig systems, I want to refactor the default rolebindings controller so that each respective capability runs a separate controller.
<Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer’s experience?>
Background (Required)
<Describes the context or background related to this story>
OpenShift has a controller that automatically creates role-bindings for service accounts in every namespace. Though only one controller operates, its logic contains forks that are specific to the Build and DepoymentConfig systems.
The goal is to refactor this into separate controllers so that individual ones can be disabled by the cluster-openshift-controller-manager-operator.
Out of scope
<Defines what is not included in this story>
- Disabling the rolebindings controller via an operator.
- Cleaning up rolebindings that are "orphaned" if the controller is disabled.
Approach (Required)
<Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>
Dependencies
<Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>
- API-1651 - this was refactoring work taken on by the apiserver/auth team.
Acceptance Criteria (Mandatory)
<Describe edge cases to consider when implementing the story and defining tests>
<Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>
- Separate rolebinding controllers exist for the builder and deployer service account rolebindings.
- Build and DeploymentConfig systems remain functional when the respective capability is enabled.
- The "image puller" role binding must continue to be created/reconciled.
INVEST Checklist
Dependencies identified
Blockers noted and expected delivery timelines set
Design is implementable
Acceptance criteria agreed upon
Story estimated
- Eng: 3
Legend
Unknown
Verified
Unsatisfied
Done Checklist
- Code is completed, reviewed, documented and checked in
- Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
- Continuous Delivery pipeline(s) is able to proceed with new code included
- Customer facing documentation, API docs etc. are produced/updated, reviewed and published
- Acceptance criteria are met
- blocks
-
OCPBUILD-9 Disable Build/Deployer/Image Registry RBAC Controllers with Capabilities
- Release Pending
-
OCPBUILD-19 Disable `builder` Service Account Generation
- Closed
- is depended on by
-
OCPBUILD-19 Disable `builder` Service Account Generation
- Closed
- relates to
-
API-1651 Create separate controllers for default service accounts
- Review
- links to