Uploaded image for project: 'OpenShift Pipelines'
  1. OpenShift Pipelines
  2. SRVKP-6166

Reduce the role for pipeline service account when we set customRBACresource to true.

XMLWordPrintable

    • Reduce the role for pipeline service account when we set customRBACresource to true.
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      Introduced new legacyPipelineRbac parameter to control legacy pipeline service account role on OpenShift.
      When set to true(by default), the current legacy behavior is preserved, granting the pipeline service account edit ClusterRole permissions within the namespace.
      When set to false, the pipeline service account no longer receives the edit ClusterRole, providing more restricted permissions by default.
      Existing role bindings are not automatically removed from namespaces with the pipeline service account, requiring manual intervention when toggling this parameter on existing deployments.
      Show
      Introduced new legacyPipelineRbac parameter to control legacy pipeline service account role on OpenShift. When set to true(by default), the current legacy behavior is preserved, granting the pipeline service account edit ClusterRole permissions within the namespace. When set to false, the pipeline service account no longer receives the edit ClusterRole, providing more restricted permissions by default. Existing role bindings are not automatically removed from namespaces with the pipeline service account, requiring manual intervention when toggling this parameter on existing deployments.
    • Enhancement
    • Done
    • Pipelines Sprint Pioneers 26, Pipelines Sprint Pioneers 27, Pipelines Sprint Pioneers 28, Pipelines Sprint Pioneers 29, Pipelines Sprint Pioneers 30

      What is the nature and description of the request?

      • When we set customRBACresource to "true" it is granting edit cluster role to the pipeline service account, which is higher privileged for pipeline service account using which app teams are able to create deployments and other objects.

      Why does the customer need this? (List the business requirements here)

      • We would like to follow least privileged model to restrict the access to pipeline account.

      How would the customer like to achieve this? (List the functional requirements here)

      • By reducing the privileged to the pipeline service account.

       

              jkhelil abdeljawed khelil
              rhn-support-dtambat Darshan Tambat
              Sri Vignesh Selvan Sri Vignesh Selvan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: