Uploaded image for project: 'OpenShift Builds'
  1. OpenShift Builds
  2. BUILD-733

Enhancement Proposal: Disable builder service account

    XMLWordPrintable

Details

    • Pipeline Integrations #3248, Pipeline Integrations #3249, Pipeline Integrations #3250, Pipeline Integrations #3252, Pipeline Integrations #3253

    Description

      Story (Required)

      As an OpenShift contributor trying to disable the builder service account I want to draft an enhancement proposal for this feature so that I get buy in from critical stakeholders before we proceed with coding.

      <Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer's experience?>

      Background (Required)

      <Describes the context or background related to this story>

      Disabling the "builder" service account has been a longstanding feature request, and core OCP engineering has historically pushed back because this risked breaking the whole system. An enhancement proposal is necessary so that these risks are documented and mitigated.

      Out of scope

      <Defines what is not included in this story>

      • Propose disabling the Build API entirely, beyond the current Capabilities work. This would be a significant undertaking that exceeds the customer request.
      • Refactoring/disabling cluster-level RBAC used by builds (such as the image-builder/image-pusher system role).

      Approach (Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

      • Iterate on proposal draft with team via Google Doc: link
      • When ready, submit enhancement proposal to https://github.com/openshift/enhancements. Need at least 2 weeks for sufficient review/feedback from stakeholders.
      • Continue refinement based on feedback - goal to complete entire process in 1 sprint (3 weeks).

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Acceptance Criteria (Mandatory)

      <Describe edge cases to consider when implementing the story and defining tests>

      <Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

      • Proposal provides a mechanism for the "builder" service account generation to be disabled. Its associated RBAC should also not be created at the namespace scope.
      • Enhancement proposal accepted and merged into openshift/enhancements.
      • Follow-up JIRA stories drafted and added to this epic.

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Proposal is submitted and reviewed by OCP engineering leadership
      • Proposal is accepted by OCP leadership
      • Subsequent stories implementing all documented requirements are drafted in JIRA.

      Attachments

        Issue Links

          Activity

            People

              adkaplan@redhat.com Adam Kaplan
              adkaplan@redhat.com Adam Kaplan
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: