Bug 1470861 - Ansible Service Broker: Change ServiceAccount to use 'admin' role
Summary: Ansible Service Broker: Change ServiceAccount to use 'admin' role
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Service Broker
Version: 3.6.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 3.7.0
Assignee: Fabian von Feilitzsch
QA Contact: weiwei jiang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-07-13 20:52 UTC by John Matthews
Modified: 2017-11-28 08:28 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-11-10 20:55:00 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:3188 0 normal SHIPPED_LIVE Moderate: Red Hat OpenShift Container Platform 3.7 security, bug, and enhancement update 2017-11-29 02:34:54 UTC

Description John Matthews 2017-07-13 20:52:08 UTC 
Description of problem:

Ansible Service Broker uses 2 service accounts.

Broker Service Account:
  We want this to be 'admin' + delta needed for basic operations (t.b.d.)

Dynamic Service Account to run each APB:
  We want this to be 'admin'
Comment 1 Jordan Liggitt 2017-07-18 14:37:04 UTC 
> Dynamic Service Account to run each APB

Where is these service accounts located? Are they in end-user-visible namespaces?
Comment 2 Erik Nelson 2017-07-18 15:15:42 UTC 
> Where is these service accounts located? Are they in end-user-visible namespaces?

They're created in the requested namespace where the APB is run and deploys to; I assume this would be considered end-user-visible?
Comment 3 Fabian von Feilitzsch 2017-07-18 18:17:49 UTC 
Installer side changes, adds admin permissions to broker: https://github.com/openshift/openshift-ansible/pull/4736
Comment 4 Erik Nelson 2017-07-18 18:29:45 UTC 
Drops APB permissions to admin:
https://github.com/openshift/ansible-service-broker/pull/285
Comment 6 weiwei jiang 2017-07-25 02:51:38 UTC 
Checked with: 
# openshift version 
openshift v3.6.169
kubernetes v1.6.1+5115d708d7
etcd 3.2.1

and
# asbd --version
0.9.9
and current serviceaccount asb is admin role on cluster level, and the sandbox serviceaccount is admin on project level.

# oc get clusterrolebindings |grep -i asb
admin                                                                 /admin                                                                                                                                                 openshift-infra/template-instance-controller, kube-service-catalog/default, openshift-ansible-service-broker/asb   

[root@host-8-175-118 ~]# oc get rolebindings -n wjiang 
NAME                                       ROLE                    USERS     GROUPS                          SERVICE ACCOUNTS                           SUBJECTS
admin                                      /admin                  wjiang                                                                               
apb-1251e701-d777-4f93-9bed-2e7f9fd29c8e   /admin                                                            apb-1251e701-d777-4f93-9bed-2e7f9fd29c8e   
system:deployers                           /system:deployer                                                  deployer                                   
system:image-builders                      /system:image-builder                                             builder                                    
system:image-pullers                       /system:image-puller              system:serviceaccounts:wjiang
Note You need to log in before you can comment on or make changes to this bug.