Bug 1411421

Summary: [DOCS] "oc secrets link" advice needs review
Product: OpenShift Container Platform Reporter: Jim Minter <jminter>
Component: DocumentationAssignee: brice <bfallonf>
Status: CLOSED CURRENTRELEASE QA Contact: Chuan Yu <chuyu>
Severity: unspecified Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 3.3.0CC: aos-bugs, jminter, jokerman, mmccomas, wsun
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-03 04:41:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jim Minter 2017-01-09 16:49:40 UTC 
Since 3.0.2.0, by default serviceAccountConfig.limitSecretReferences is off (see the release notes https://docs.openshift.com/enterprise/3.0/whats_new/ose_3_0_release_notes.html).  

In light of this it would be good to review the documentation where 'oc secrets link' or 'oc secrets link --for=mount' (but not 'oc secrets link --for=pull', I think) is referenced.

https://docs.openshift.com/container-platform/3.3/dev_guide/service_accounts.html / Managing Allowed Secrets
- should mention that when serviceAccountConfig.limitSecretReferences is off (by default), 'oc secrets link --for=mount' has little effect.

https://docs.openshift.com/container-platform/3.3/dev_guide/managing_images.html / Allowing Pods to Reference Images from Other Secured Registries
- the advice about 'oc secrets link' is superfluous unless serviceAccountConfig.limitSecretReferences is on, which it is probably not in the majority of installs.

https://docs.openshift.com/container-platform/3.3/install_config/registry/securing_and_exposing_registry.html / Securing the Registry
- ditto

https://docs.openshift.com/container-platform/3.3/dev_guide/builds.html / Source Secrets
- ditto
Comment 1 brice 2017-01-11 05:08:29 UTC 
Jim,

I created a PR for this issue:

https://github.com/openshift/openshift-docs/pull/3475

Can I please get an ack this fulfills this BZ? I'm worried some of the wording is confused.

Thanks!
Comment 2 Jim Minter 2017-01-11 08:59:57 UTC 
Review added in PR - many thanks.
Comment 3 openshift-github-bot 2017-01-17 02:23:56 UTC 
Commit pushed to master at https://github.com/openshift/openshift-docs

https://github.com/openshift/openshift-docs/commit/15dfa6cc0185b75eb2d0db3f492db658ac991a50
Merge pull request #3475 from bfallonf/secrets_1411421

Bug 1411421 added information on linking pods to serviceaccounts
Comment 4 brice 2017-02-03 04:41:54 UTC 
Links to released docs:

https://access.redhat.com/documentation/en/openshift-container-platform/3.4/single/developer-guide/#source-code

https://access.redhat.com/documentation/en/openshift-container-platform/3.4/single/developer-guide/#managing-allowed-secrets

https://access.redhat.com/documentation/en/openshift-container-platform/3.4/single/installation-and-configuration/#securing-the-registry