-
Story
-
Resolution: Unresolved
-
Critical
-
None
-
3
-
Documentation (Ref Guide, User Guide, etc.), User Experience
-
---
-
---
Story (Required)
As a cluster admin trying to deploy OpenShift Pipelines I want to know that OpenShift Pipelines grants the default service account the "edit" cluster role so that I can decide if this elevated permission is acceptable to my security team.
<Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer’s experience?>
Background (Required)
<Describes the context or background related to this story>
The OpenShift Pipelines operator by default creates RBAC resources which grants the default pipeline service account the following permissions:
- Permission to use the pipelines-scc
- "Edit" rolebinding in the namespace, which amongst other things grants permission to view and edit secrets, and deploy common workloads (Deployment).
Our documentation currently does not mention the granting of the "edit" role in a clear and consistent way. See OpenShift Pipelines docs
Out of scope
<Defines what is not included in this story>
- Features which allow the automatic RBAC resources to be finely tuned.
Approach (Required)
<Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>
Dependencies
<Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>
Acceptance Criteria (Mandatory)
<Describe edge cases to consider when implementing the story and defining tests>
<Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>
- OpenShift Pipelines docs describe the default behavior of the generated "pipelines" service account:
- Namespaces where the service account will/will not appear
- RBAC permissions granted to the "pipelines" service account.
- Consequences of our defaults - for instance, the "edit" role grants permission to create workloads and read Secrets.
- Other components that the operator creates to elevate system permissions - for example, SCCs managed by the operator.
- Interactions with other OpenShift RBAC controllers, such as the auto-generation of pull secrets to the internal registry.
- Docs describe how the default "pipelines" service account can be disabled.
- Docs identify any additional actions an admin may need to take after disabling the default "pipelines" service account.
INVEST Checklist
Dependencies identified
Blockers noted and expected delivery timelines set
Design is implementable
Acceptance criteria agreed upon
Story estimated
Legend
Unknown
Verified
Unsatisfied
Done Checklist
- Code is completed, reviewed, documented and checked in
- Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
- Continuous Delivery pipeline(s) is able to proceed with new code included
- Customer facing documentation, API docs etc. are produced/updated, reviewed and published
- Acceptance criteria are met