What if someone has granted extra access to one of the default service accounts? Custom deployments (and I imagine builds too) may not work w/o granting extra permissions, depending on what the deployer/builder is actually doing.
On Mon, Jul 17, 2017 at 1:31 PM, Devan Goodwin <[email protected]> wrote: > I've been working on project archival for online, with regard to > service accounts we may need to export those created manually by the > user, and skip those created automatically by OpenShift when we > created the project. > > There does not appear to be any information on those service accounts > to identify that it was automatically created by OpenShift: > > - apiVersion: v1 > imagePullSecrets: > - name: deployer-dockercfg-t2ckf > kind: ServiceAccount > metadata: > creationTimestamp: 2017-07-12T14:48:19Z > name: deployer > namespace: myproject > > > Is assuming the service accounts with names "builder", "deployer", and > "default" a stable set we could count on for skipping during an > export? > > Would it be acceptable to start adding an annotation to these service > accounts similar to what we do for secrets that are attached to those > SAs? > > kind: Secret > metadata: > annotations: > kubernetes.io/created-by: openshift.io/create-dockercfg-secrets > > Perhaps in this case "openshift.io/default-service-accounts"? > (suggestions welcome) > > If so, is there any established precedent for migrating pre-existing > builder/deployer/default SAs to add the annotation during an upgrade? > > Thanks! > > Devan > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
