1470824 – Revisit privileges granted to Service Accounts used by Ansible Service Broker

Bug 1470824 - Revisit privileges granted to Service Accounts used by Ansible Service Broker

Summary: Revisit privileges granted to Service Accounts used by Ansible Service Broker

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Service Broker
Sub Component:
Version:	3.6.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	low
Target Milestone:	---
Target Release:	3.7.0
Assignee:	John Matthews
QA Contact:	Weihua Meng
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-07-13 18:34 UTC by John Matthews
Modified:	2017-11-28 22:01 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Environment:
Last Closed:	2017-11-28 22:01:28 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2017:3188	0	normal	SHIPPED_LIVE	Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update	2017-11-29 02:34:54 UTC

Description John Matthews 2017-07-13 18:34:21 UTC

Description of problem:

The Ansible Service Broker runs the broker under a service account with 'cluster-admin' rights.

Workflow is that when running an APB:
1. Create a new project (if it doesn't exist)
2. broker will dynamically create a new service account in that project
3. apb runs as the dynamic service account
4. broker deletes the dynamic service account
5. application/services running in the project

We plan to implement a means for an admin to opt into what security privileges they want an APB to run with, that is not in scope for 3.6.0 timeframe.

We would also like to reuse a common role between template broker and ansible service broker if possible.

Comment 1 Fabian von Feilitzsch 2017-07-18 18:14:54 UTC

Minor update, apbs will run as "admin", not "cluster-admin" in 3.6

Comment 2 John Matthews 2017-08-24 16:12:43 UTC

Below PR drops the role to 'edit' for the service account running an APB.

https://github.com/openshift/ansible-service-broker/pull/393

Summary of service accounts:
 Broker runs under 'asb' service account set to 'admin' through a ClusterRoleBinding

 APBs run under a temporary service account granted 'edit' through a RoleBinding in the target namespace.

Comment 4 Weihua Meng 2017-09-28 06:32:43 UTC

blocked by bug https://bugzilla.redhat.com/show_bug.cgi?id=1496426

Comment 5 Weihua Meng 2017-09-28 08:35:38 UTC

Verified on ansible-service-broker 1.0.4
Fixed

docker run --entrypoint=asbd  openshift3/ose-ansible-service-broker:v3.7 --version
1.0.4

- apiVersion: v1
  groupNames: null
  kind: RoleBinding
  metadata:
    creationTimestamp: 2017-09-28T08:19:05Z
    name: apb-26122543-7202-41e4-866d-b9ad913822b8
    namespace: wmeng2
    resourceVersion: "44186"
    selfLink: /oapi/v1/namespaces/wmeng2/rolebindings/apb-26122543-7202-41e4-866d-b9ad913822b8
    uid: b1739e0a-a425-11e7-971a-fa163eeebea6
  roleRef:
    name: edit
  subjects:
  - kind: ServiceAccount
    name: apb-26122543-7202-41e4-866d-b9ad913822b8
    namespace: wmeng2
  userNames:
  - system:serviceaccount:wmeng2:apb-26122543-7202-41e4-866d-b9ad913822b8

Comment 8 errata-xmlrpc 2017-11-28 22:01:28 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2017:3188

Note You need to log in before you can comment on or make changes to this bug.