Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-104

have ccoctl stop accepting CredentialsRequests w/o ServiceAccounts

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Undefined Undefined
    • None
    • None
    • False
    • False
    • Undefined

      To ease writing ccoctl while waiting for all the in-cluster CredentialsRequests to start including their ServiceAccount details, ccoctl will just fill in a less-secure 'audience' field for the trust policy for the created IAM Roles in the absence of a ServiceAccount name.

      As the ServiceAccount names provide for better Role isolation, remove ccoctl's ability to process CredentialsRequests without ServiceAccount name(s).

       

      https://github.com/openshift/cloud-credential-operator/blob/master/pkg/cmd/provisioning/aws/create-iam-roles.go#L237-L240

            jdiaz@redhat.com Joel Diaz (Inactive)
            jdiaz@redhat.com Joel Diaz (Inactive)
            Lin Wang Lin Wang
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: