[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Using OpenShift default service accounts in ephemeral and persistent Jenkins images



Thanks for the feedback, Ben!

I don't have any specific issues with the current Jenkins SA being created within the templates; simply trying to understand the discrepancy and intention of these default SAs as one could be led to believe they should be utilized.

Regards,
Andy  

On Mon, Jun 25, 2018 at 3:51 PM Ben Parees <bparees redhat com> wrote:


On Mon, Jun 25, 2018 at 12:09 PM, Andrew Feller <afeller bandwidth com> wrote:
Is there any reason not to use the OpenShift default service accounts (builder and deployer) with OpenShift jenkins-ephemeral and jenkins-persistent templates aside from the templates aren't setup to support it well?

the template creates its own service account so we can grant it a reasonable set of permissions to ensure that the default credentials the jenkins jobs run with, can perform typical actions in your namespace (thus we give it edit permission).

The builder SA actually has more permissions than that(namely around running privileged pods), so letting jenkins jobs leverage those credentials could allow jobs to escalate permissions.

Is there a reason you don't want to use the SA the template creates?

 

We haven't found any decisive content around the subject as the Developer Guide presents these as the intended direction, however it doesn't really elaborate why and what potential problems it could cause.  We haven't tried customizing these templates to see if it's feasible as it'll take some alterations.

Appreciate any feedback!
Andy
-- 

BandwidthMaroon.png


Andy Feller    Sr DevOps Engineer

900 Main Campus Drive, Suite 500, Raleigh, NC 27606



e: afeller bandwidth com


_______________________________________________
users mailing list
users lists openshift redhat com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users




--
Ben Parees | OpenShift



--

BandwidthMaroon.png


Andy Feller    Sr DevOps Engineer

900 Main Campus Drive, Suite 500, Raleigh, NC 27606



e: afeller bandwidth com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]