Resolution: Won't Do
SECFLOWOTL-22 - Disable Builder Service Account
Pipeline Integrations #3248, Pipeline Integrations #3249, Pipeline Integrations #3250, Pipeline Integrations #3252, Pipeline Integrations #3253
As an OpenShift contributor trying to disable the builder service account I want to draft an enhancement proposal for this feature so that I get buy in from critical stakeholders before we proceed with coding.
<Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer's experience?>
<Describes the context or background related to this story>
Disabling the "builder" service account has been a longstanding feature request, and core OCP engineering has historically pushed back because this risked breaking the whole system. An enhancement proposal is necessary so that these risks are documented and mitigated.
<Defines what is not included in this story>
- Propose disabling the Build API entirely, beyond the current Capabilities work. This would be a significant undertaking that exceeds the customer request.
- Refactoring/disabling cluster-level RBAC used by builds (such as the image-builder/image-pusher system role).
<Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>
- Iterate on proposal draft with team via Google Doc: link
- When ready, submit enhancement proposal to https://github.com/openshift/enhancements. Need at least 2 weeks for sufficient review/feedback from stakeholders.
- Continue refinement based on feedback - goal to complete entire process in 1 sprint (3 weeks).
<Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>
<Describe edge cases to consider when implementing the story and defining tests>
<Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>
- Proposal provides a mechanism for the "builder" service account generation to be disabled. Its associated RBAC should also not be created at the namespace scope.
- Enhancement proposal accepted and merged into openshift/enhancements.
- Follow-up JIRA stories drafted and added to this epic.
Blockers noted and expected delivery timelines set
Design is implementable
Acceptance criteria agreed upon
- Proposal is submitted and reviewed by OCP engineering leadership
- Proposal is accepted by OCP leadership
- Subsequent stories implementing all documented requirements are drafted in JIRA.