Bug 1470861

Summary: Ansible Service Broker: Change ServiceAccount to use 'admin' role
Product: OpenShift Container Platform Reporter: John Matthews <jmatthew>
Component: Service BrokerAssignee: Fabian von Feilitzsch <fabian>
Status: CLOSED CURRENTRELEASE QA Contact: weiwei jiang <wjiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 3.6.0CC: aos-bugs, ernelson, jliggitt, pweil, wmeng
Target Milestone: ---   
Target Release: 3.7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-11-10 20:55:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Matthews 2017-07-13 20:52:08 UTC 
Description of problem:

Ansible Service Broker uses 2 service accounts.

Broker Service Account:
  We want this to be 'admin' + delta needed for basic operations (t.b.d.)

Dynamic Service Account to run each APB:
  We want this to be 'admin'
Comment 1 Jordan Liggitt 2017-07-18 14:37:04 UTC 
> Dynamic Service Account to run each APB

Where is these service accounts located? Are they in end-user-visible namespaces?
Comment 2 Erik Nelson 2017-07-18 15:15:42 UTC 
> Where is these service accounts located? Are they in end-user-visible namespaces?

They're created in the requested namespace where the APB is run and deploys to; I assume this would be considered end-user-visible?
Comment 3 Fabian von Feilitzsch 2017-07-18 18:17:49 UTC 
Installer side changes, adds admin permissions to broker: https://github.com/openshift/openshift-ansible/pull/4736
Comment 4 Erik Nelson 2017-07-18 18:29:45 UTC 
Drops APB permissions to admin:
https://github.com/openshift/ansible-service-broker/pull/285
Comment 6 weiwei jiang 2017-07-25 02:51:38 UTC 
Checked with: 
# openshift version 
openshift v3.6.169
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

and
# asbd --version
0.9.9
and current serviceaccount asb is admin role on cluster level, and the sandbox serviceaccount is admin on project level.

# oc get clusterrolebindings |grep -i asb
admin                                                                 /admin                                                                                                                                                 openshift-infra/template-instance-controller, kube-service-catalog/default, openshift-ansible-service-broker/asb   

[root@host-8-175-118 ~]# oc get rolebindings -n wjiang 
NAME                                       ROLE                    USERS     GROUPS                          SERVICE ACCOUNTS                           SUBJECTS
admin                                      /admin                  wjiang                                                                               
apb-1251e701-d777-4f93-9bed-2e7f9fd29c8e   /admin                                                            apb-1251e701-d777-4f93-9bed-2e7f9fd29c8e   
system:deployers                           /system:deployer                                                  deployer                                   
system:image-builders                      /system:image-builder                                             builder                                    
system:image-pullers                       /system:image-puller              system:serviceaccounts:wjiang