Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-3481

Allow setting serviceAccount must-gather should run to remove cluster-admin requirements

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • oc
    • False
    • None
    • False
    • Not Selected
    • 0
    • 0% 0%

      1. Proposed title of this feature request
      Allow setting serviceAccount must-gather should run to assign specific permissions

      2. What is the nature and description of the request?
      Based on RFE-3477 it would be helpful to have an option to define the serviceAccount the must-gather should run with. With that, it would be possible to assign a specific Role to the serviceAccount that has limited permissions and thus avoid running must-gather with cluster-admin. Running must-gather with cluster-admin exposes the risk of having the possibility to pretty much delete the entire OpenShift Container Platform 4 - Cluster (remove all options, nodes or modify them). Hence enterprise organizations are looking to limit the permissions to the bare minimum to prevent any production problem from happening by simply running must-gather.

      Hence giving customers the option to specify a serviecAccount would give them the possibility to restrict the set of permissions available to the pod but also would avoid a broad impact as by default it would still run as is (but would give the possibility to restrict it, if and where required).

      3. Why does the customer need this? (List the business requirements here)
      Certain Enterprise customers are required to restrict permissions on OpenShift Container Platform 4 to the extend possible. With must-gather running as priviledged pod this does expose a security risk as malfunctionality or having a security breach in this area would allow to modify data or even remove objects such as OpenShift Container Platform 4 - Node, secret data, etc.

      Hence there is strong requirement to limit permissions. As it should not impact other customers an idea could be to specify a serviceAccount with a Role assigned that has limited permissions and potentially does not allow to patch,delete objects.

      With that great flexibility could be created and there would not be a need for Red Hat to modify or provide pre-created Roles. Instead, Enterprise customers could simply specify what is needed and adjust if and when must-gather would fail to run or then decline to run must-gather as it's considered too much of a risk for them.

      4. List any affected packages or components.
      oc CLI

            gausingh@redhat.com Gaurav Singh
            rhn-support-sreber Simon Reber
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: