-
Bug
-
Resolution: Won't Do
-
Critical
-
None
-
4.23
-
None
-
None
-
False
-
-
None
-
Critical
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
-
None
Description of problem:
Monitor tests have detected default service account usage for openshift-commatrix-test/debug- pod. https://sippy.dptools.openshift.org/sippy-ng/tests/4.22/analysis?test=%5BMonitor%3Ano-default-service-account-operator-checker%5D%5Bsig-auth%5D%20all%20pods%20in%20openshift-commatrix-test%20namespace%20must%20not%20use%20the%20default%20service%20account.&filters=%7B%22items%22%3A%5B%7B%22columnField%22%3A%22name%22%2C%22operatorValue%22%3A%22equals%22%2C%22value%22%3A%22%5BMonitor%3Ano-default-service-account-operator-checker%5D%5Bsig-auth%5D%20all%20pods%20in%20openshift-commatrix-test%20namespace%20must%20not%20use%20the%20default%20service%20account.%22%7D%2C%7B%22columnField%22%3A%22variants%22%2C%22not%22%3Atrue%2C%22operatorValue%22%3A%22has%20entry%22%2C%22value%22%3A%22never-stable%22%7D%2C%7B%22columnField%22%3A%22variants%22%2C%22not%22%3Atrue%2C%22operatorValue%22%3A%22has%20entry%22%2C%22value%22%3A%22aggregated%22%7D%5D%2C%22linkOperator%22%3A%22and%22%7D ^ See here ^ As part of OCPSTRAT-2401, pods in OpenShift core payload should not be using default service account, but rather their own bespoke service account with required permissions.
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
openshift-commatrix-test/debug- pod is using default service account.
Expected results:
openshift-commatrix-test/debug- pod is using its own service account.
Additional info:
Currently unsure if this is something we should be concerned about, as it may not be core OpenShift. Debug pod code may be here --> https://github.com/openshift/oc/blob/main/pkg/cli/debug/debug.go#L450-L453 .
- blocks
-
OCPSTRAT-2401 Ensure Default Service Accounts are not used by OpenShift Operators
-
- In Progress
-