Red Hat Bugzilla – Bug 1470824
Revisit privileges granted to Service Accounts used by Ansible Service Broker
Last modified: 2017-10-02 15:28:15 EDT
Description of problem:
The Ansible Service Broker runs the broker under a service account with 'cluster-admin' rights.
Workflow is that when running an APB:
1. Create a new project (if it doesn't exist)
2. broker will dynamically create a new service account in that project
3. apb runs as the dynamic service account
4. broker deletes the dynamic service account
5. application/services running in the project
We plan to implement a means for an admin to opt into what security privileges they want an APB to run with, that is not in scope for 3.6.0 timeframe.
We would also like to reuse a common role between template broker and ansible service broker if possible.
Minor update, apbs will run as "admin", not "cluster-admin" in 3.6
Below PR drops the role to 'edit' for the service account running an APB.
Summary of service accounts:
Broker runs under 'asb' service account set to 'admin' through a ClusterRoleBinding
APBs run under a temporary service account granted 'edit' through a RoleBinding in the target namespace.
blocked by bug https://bugzilla.redhat.com/show_bug.cgi?id=1496426
Verified on ansible-service-broker 1.0.4
docker run --entrypoint=asbd openshift3/ose-ansible-service-broker:v3.7 --version
- apiVersion: v1
- kind: ServiceAccount