Loading...

XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Major
Fix Version/s: Pipelines 1.6
Affects Version/s: None
Component/s: Operator
Labels:
- doc-req
- grooming

Epic Name:
Option to disable the default pipeline SA
Blocked:
False
Ready:
False
Epic Status:
Done
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done
Release Note Text:
Undefined
Market:

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

As of today, the OpenShift Pipelines operator will create a pipeline service account on all namespace when installed, with the pipeline-scc which has RunAsAny among other things.

Why

This feature can be seen as a security issue as some customers have reported. It would be interesting if a cluster-admin could disable this feature by default.

This has some impact though : our ClusterTask would note work by default anymore. This has to be clear to the user that when he disables this, either it also disable default cluster task or they are expected to not work. This would require heavy documentation on our part (in a "use case" part of our documentation)

Acceptance Criteria

As a cluster-admin, I can disable the creation of the default pipeline service account on each namespace.

is documented by

RHDEVDOCS-3304 Document disabling the default Pipeline SA

Closed

Assignee:: Savita .

Reporter:: Vincent Demeester

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2021/07/07 2:15 PM

Updated:: 2022/07/13 6:59 PM

Resolved:: 2022/01/07 11:05 AM

Details

Description

Why

Acceptance Criteria

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates