Since 3.0.2.0, by default serviceAccountConfig.limitSecretReferences is off (see the release notes https://docs.openshift.com/enterprise/3.0/whats_new/ose_3_0_release_notes.html). In light of this it would be good to review the documentation where 'oc secrets link' or 'oc secrets link --for=mount' (but not 'oc secrets link --for=pull', I think) is referenced. https://docs.openshift.com/container-platform/3.3/dev_guide/service_accounts.html / Managing Allowed Secrets - should mention that when serviceAccountConfig.limitSecretReferences is off (by default), 'oc secrets link --for=mount' has little effect. https://docs.openshift.com/container-platform/3.3/dev_guide/managing_images.html / Allowing Pods to Reference Images from Other Secured Registries - the advice about 'oc secrets link' is superfluous unless serviceAccountConfig.limitSecretReferences is on, which it is probably not in the majority of installs. https://docs.openshift.com/container-platform/3.3/install_config/registry/securing_and_exposing_registry.html / Securing the Registry - ditto https://docs.openshift.com/container-platform/3.3/dev_guide/builds.html / Source Secrets - ditto
Jim, I created a PR for this issue: https://github.com/openshift/openshift-docs/pull/3475 Can I please get an ack this fulfills this BZ? I'm worried some of the wording is confused. Thanks!
Review added in PR - many thanks.
Commit pushed to master at https://github.com/openshift/openshift-docs https://github.com/openshift/openshift-docs/commit/15dfa6cc0185b75eb2d0db3f492db658ac991a50 Merge pull request #3475 from bfallonf/secrets_1411421 Bug 1411421 added information on linking pods to serviceaccounts
Links to released docs: https://access.redhat.com/documentation/en/openshift-container-platform/3.4/single/developer-guide/#source-code https://access.redhat.com/documentation/en/openshift-container-platform/3.4/single/developer-guide/#managing-allowed-secrets https://access.redhat.com/documentation/en/openshift-container-platform/3.4/single/installation-and-configuration/#securing-the-registry