Uploaded image for project: 'Docs for Red Hat Developers'
  1. Docs for Red Hat Developers
  2. RHDEVDOCS-5494

Document automatic creation of "edit" rolebinding

    XMLWordPrintable

Details

    • 3
    • Documentation (Ref Guide, User Guide, etc.), User Experience
    • ---
    • ---

    Description

      Story (Required)

      As a cluster admin trying to deploy OpenShift Pipelines I want to know that OpenShift Pipelines grants the default service account the "edit" cluster role so that I can decide if this elevated permission is acceptable to my security team.

      <Describes high level purpose and goal for this story. Answers the questions: Who is impacted, what is it and why do we need it? How does it improve the customer’s experience?>

      Background (Required)

      <Describes the context or background related to this story>

      The OpenShift Pipelines operator by default creates RBAC resources which grants the default pipeline service account the following permissions:

      • Permission to use the pipelines-scc
      • "Edit" rolebinding in the namespace, which amongst other things grants permission to view and edit secrets, and deploy common workloads (Deployment).

      Our documentation currently does not mention the granting of the "edit" role in a clear and consistent way. See OpenShift Pipelines docs

      Out of scope

      <Defines what is not included in this story>

      • Features which allow the automatic RBAC resources to be finely tuned.

      Approach (Required)

      <Description of the general technical path on how to achieve the goal of the story. Include details like json schema, class definitions>

      Dependencies

      <Describes what this story depends on. Dependent Stories and EPICs should be linked to the story.>

      Acceptance Criteria (Mandatory)

      <Describe edge cases to consider when implementing the story and defining tests>

      <Provides a required and minimum list of acceptance tests for this story. More is expected as the engineer implements this story>

      • OpenShift Pipelines docs describe the default behavior of the generated "pipelines" service account:
        • Namespaces where the service account will/will not appear
        • RBAC permissions granted to the "pipelines" service account.
        • Consequences of our defaults - for instance, the "edit" role grants permission to create workloads and read Secrets.
        • Other components that the operator creates to elevate system permissions - for example, SCCs managed by the operator.
        • Interactions with other OpenShift RBAC controllers, such as the auto-generation of pull secrets to the internal registry.
      • Docs describe how the default "pipelines" service account can be disabled.
      • Docs identify any additional actions an admin may need to take after disabling the default "pipelines" service account.

      INVEST Checklist

      Dependencies identified

      Blockers noted and expected delivery timelines set

      Design is implementable

      Acceptance criteria agreed upon

      Story estimated

      Legend

      Unknown

      Verified

      Unsatisfied

      Done Checklist

      • Code is completed, reviewed, documented and checked in
      • Unit and integration test automation have been delivered and running cleanly in continuous integration/staging/canary environment
      • Continuous Delivery pipeline(s) is able to proceed with new code included
      • Customer facing documentation, API docs etc. are produced/updated, reviewed and published
      • Acceptance criteria are met

      Attachments

        Activity

          People

            mramendi Mikhail Ramendik
            adkaplan@redhat.com Adam Kaplan
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated: