Uploaded image for project: 'OpenShift BuildConfig'
  1. OpenShift BuildConfig
  2. OCPBUILD-9

Disable Build/Deployer/Image Registry RBAC Controllers with Capabilities

XMLWordPrintable

    • 8
    • False
    • Hide

      None

      Show
      None
    • False
    • SECFLOWOTL-22 - OCP Capabilities: Disable Builder Service Account
    • Hide
      Previously, role bindings related to the Image Registry, Build, and DeploymentConfig capabilities were created in every namespace, even if the respective capability was disabled. With this change, role bindings will only be created if the respective capability is enabled on the cluster.
      Show
      Previously, role bindings related to the Image Registry, Build, and DeploymentConfig capabilities were created in every namespace, even if the respective capability was disabled. With this change, role bindings will only be created if the respective capability is enabled on the cluster.
    • Enhancement
    • In Progress
    • 8
    • Pipeline Integrations #2260, Builds Sprint #2261, Builds Sprint #3, Builds Sprint #4

      Story (Required)

      As a cluster admin trying to disable the Build, DeploymentConfig, and Image Registry capabilities I want the RBAC controllers for the builder and deployer service accounts and default image-registry rolebindings disabled when their respective capability is disabled.

      <Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer's experience?>

      Background (Required)

      <Describes the context or background related to this story>

      In WRKLDS-695, ocm-o was enhanced to disable the Build and DeploymentConfig controllers when the respective capability was disabled. This logic should be extended to include the controllers that set up the service accounts and role bindings for these respective features.

      Out of scope

      <Defines what is not included in this story>

      Approach (Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

        • Needs manual testing (OpenShift cluster deployed with all/some capabilities disabled). 

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Acceptance Criteria (Mandatory)

      • Build and DeploymentConfig systems remain functional when the respective capability is enabled.
      • Build, DeploymentConfig, and Image-Puller RoleBinding controllers are not started when the respective capability is disabled.

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      • Engineering: 5
      • QE: 2
      • Doc: 2

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

            rh-ee-apjagtap Apoorva Jagtap
            adkaplan@redhat.com Adam Kaplan
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: