[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using OpenShift default service accounts in ephemeral and persistent Jenkins images





On Mon, Jun 25, 2018 at 12:09 PM, Andrew Feller <afeller bandwidth com> wrote:
Is there any reason not to use the OpenShift default service accounts (builder and deployer) with OpenShift jenkins-ephemeral and jenkins-persistent templates aside from the templates aren't setup to support it well?

the template creates its own service account so we can grant it a reasonable set of permissions to ensure that the default credentials the jenkins jobs run with, can perform typical actions in your namespace (thus we give it edit permission).

The builder SA actually has more permissions than that(namely around running privileged pods), so letting jenkins jobs leverage those credentials could allow jobs to escalate permissions.

Is there a reason you don't want to use the SA the template creates?

 

We haven't found any decisive content around the subject as the Developer Guide presents these as the intended direction, however it doesn't really elaborate why and what potential problems it could cause.  We haven't tried customizing these templates to see if it's feasible as it'll take some alterations.

Appreciate any feedback!
Andy
-- 

BandwidthMaroon.png


Andy Feller    Sr DevOps Engineer

900 Main Campus Drive, Suite 500, Raleigh, NC 27606



e: afeller bandwidth com


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--
Ben Parees | OpenShift


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]