Red Hat Bugzilla – Bug 1470824
Revisit privileges granted to Service Accounts used by Ansible Service Broker
Last modified: 2017-11-28 17:01:28 EST
Description of problem:
The Ansible Service Broker runs the broker under a service account with 'cluster-admin' rights.
Workflow is that when running an APB:
1. Create a new project (if it doesn't exist)
2. broker will dynamically create a new service account in that project
3. apb runs as the dynamic service account
4. broker deletes the dynamic service account
5. application/services running in the project
We plan to implement a means for an admin to opt into what security privileges they want an APB to run with, that is not in scope for 3.6.0 timeframe.
We would also like to reuse a common role between template broker and ansible service broker if possible.
Minor update, apbs will run as "admin", not "cluster-admin" in 3.6
Below PR drops the role to 'edit' for the service account running an APB.
Summary of service accounts:
Broker runs under 'asb' service account set to 'admin' through a ClusterRoleBinding
APBs run under a temporary service account granted 'edit' through a RoleBinding in the target namespace.
blocked by bug https://bugzilla.redhat.com/show_bug.cgi?id=1496426
Verified on ansible-service-broker 1.0.4
docker run --entrypoint=asbd openshift3/ose-ansible-service-broker:v3.7 --version
- apiVersion: v1
- kind: ServiceAccount
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.