Also, if you exported a set of service accounts, assumption is that a new one can be added at any time (to all namespaces), which means you already have to handle merging them when you restore.
On Mon, Jul 17, 2017 at 7:45 AM, Michail Kargakis <[email protected]> wrote: > What if someone has granted extra access to one of the default service > accounts? Custom deployments (and I imagine builds too) > may not work w/o granting extra permissions, depending on what the > deployer/builder is actually doing. > > On Mon, Jul 17, 2017 at 1:31 PM, Devan Goodwin <[email protected]> > wrote: > >> I've been working on project archival for online, with regard to >> service accounts we may need to export those created manually by the >> user, and skip those created automatically by OpenShift when we >> created the project. >> >> There does not appear to be any information on those service accounts >> to identify that it was automatically created by OpenShift: >> >> - apiVersion: v1 >> imagePullSecrets: >> - name: deployer-dockercfg-t2ckf >> kind: ServiceAccount >> metadata: >> creationTimestamp: 2017-07-12T14:48:19Z >> name: deployer >> namespace: myproject >> >> >> Is assuming the service accounts with names "builder", "deployer", and >> "default" a stable set we could count on for skipping during an >> export? >> >> Would it be acceptable to start adding an annotation to these service >> accounts similar to what we do for secrets that are attached to those >> SAs? >> >> kind: Secret >> metadata: >> annotations: >> kubernetes.io/created-by: openshift.io/create-dockercfg-secrets >> >> Perhaps in this case "openshift.io/default-service-accounts"? >> (suggestions welcome) >> >> If so, is there any established precedent for migrating pre-existing >> builder/deployer/default SAs to add the annotation during an upgrade? >> >> Thanks! >> >> Devan >> >> _______________________________________________ >> dev mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >> > > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
