-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
4.22.0
-
None
Description of problem:
kube-system/global-pull-secret-syncer- pod should not be using default service account . As part of OCPSTRAT-2401, core OpenShift components should not be using default service account, but rather should be using their own bespoke service account. Default service account usage for this pod can be found at https://github.com/openshift/hypershift/blob/c1d28e31a05d186fd9ba67cb21e9bc8c00d87b63/control-plane-operator/hostedclusterconfigoperator/controllers/resources/manifests/pullsecret.go#L43 .
Version-Release number of selected component (if applicable):
How reproducible:
https://prow.ci.openshift.org/view/gs/test-platform-results/logs/periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-aks-ovn-conformance/2008025981733834752 <-- this test showed default service account usage for kube-system/global-pull-secret-syncer- pod.
Steps to Reproduce:
Running periodic-ci-openshift-hypershift-release-4.22-periodics-e2e-azure-aks-ovn-conformance will show default service account usage for kube-system/global-pull-secret-syncer- pod in default service account monitor tests .
Actual results:
kube-system/global-pull-secret-syncer- pod is using default service account.
Expected results:
kube-system/global-pull-secret-syncer- pod should be using its own bespoke service account.
Additional info:
- blocks
-
OCPSTRAT-2401 Ensure Default Service Accounts are not used by OpenShift Operators
-
- In Progress
-
- links to