An export should include custom image pull or push secrets added to the namespace and included in the service account's imagePullSecrets list.
On Mon, Jul 17, 2017 at 8:04 AM, Clayton Coleman <[email protected]> wrote: > Also, if you exported a set of service accounts, assumption is that a new > one can be added at any time (to all namespaces), which means you already > have to handle merging them when you restore. > > On Mon, Jul 17, 2017 at 7:45 AM, Michail Kargakis <[email protected]> > wrote: > >> What if someone has granted extra access to one of the default service >> accounts? Custom deployments (and I imagine builds too) >> may not work w/o granting extra permissions, depending on what the >> deployer/builder is actually doing. >> >> On Mon, Jul 17, 2017 at 1:31 PM, Devan Goodwin <[email protected]> >> wrote: >> >>> I've been working on project archival for online, with regard to >>> service accounts we may need to export those created manually by the >>> user, and skip those created automatically by OpenShift when we >>> created the project. >>> >>> There does not appear to be any information on those service accounts >>> to identify that it was automatically created by OpenShift: >>> >>> - apiVersion: v1 >>> imagePullSecrets: >>> - name: deployer-dockercfg-t2ckf >>> kind: ServiceAccount >>> metadata: >>> creationTimestamp: 2017-07-12T14:48:19Z >>> name: deployer >>> namespace: myproject >>> >>> >>> Is assuming the service accounts with names "builder", "deployer", and >>> "default" a stable set we could count on for skipping during an >>> export? >>> >>> Would it be acceptable to start adding an annotation to these service >>> accounts similar to what we do for secrets that are attached to those >>> SAs? >>> >>> kind: Secret >>> metadata: >>> annotations: >>> kubernetes.io/created-by: openshift.io/create-dockercfg-secrets >>> >>> Perhaps in this case "openshift.io/default-service-accounts"? >>> (suggestions welcome) >>> >>> If so, is there any established precedent for migrating pre-existing >>> builder/deployer/default SAs to add the annotation during an upgrade? >>> >>> Thanks! >>> >>> Devan >>> >>> _______________________________________________ >>> dev mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >>> >> >> >> _______________________________________________ >> dev mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >> >> > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > >
_______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
