Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-1578

Option to disable the default pipeline SA

    XMLWordPrintable

Details

    • Option to disable the default pipeline SA
    • False
    • False
    • Done
    • 100
    • 100% 100%
    • Undefined

    Description

      As of today, the OpenShift Pipelines operator will create a pipeline service account on all namespace when installed, with the pipeline-scc which has RunAsAny among other things.

      Why

      This feature can be seen as a security issue as some customers have reported. It would be interesting if a cluster-admin could disable this feature by default.

      This has some impact though : our ClusterTask would note work by default anymore. This has to be clear to the user that when he disables this, either it also disable default cluster task or they are expected to not work. This would require heavy documentation on our part (in a "use case" part of our documentation)

      Acceptance Criteria

      • As a cluster-admin, I can disable the creation of the default pipeline service account on each namespace.

      Attachments

        Issue Links

          is documented by

          Story - Created by Jira Software - do not edit or delete. Issue type for a user story. RHDEVDOCS-3304 Document disabling the default Pipeline SA

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Activity

            People

              sashture Savita .
              vdemeest Vincent Demeester
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: