On Mon, Jul 17, 2017 at 10:07 AM, Jordan Liggitt <[email protected]> wrote: > An export should include custom image pull or push secrets added to the > namespace and included in the service account's imagePullSecrets list.
I will change approach here to make sure we include all service accounts and their associated secrets, with some potential merge logic on import. Somewhat leads into another discussion we're having, but is it reasonable to recreate the project separately (potentially with a different name in another cluster), then import objects into it, rather than trying to include the project and rolebinding info in the template/objectlist itself? It felt safer to do this when we're talking about long term archival, differing OpenShift versions, and moving clusters/projects. Thanks for the feedback all. > > On Mon, Jul 17, 2017 at 8:04 AM, Clayton Coleman <[email protected]> > wrote: >> >> Also, if you exported a set of service accounts, assumption is that a new >> one can be added at any time (to all namespaces), which means you already >> have to handle merging them when you restore. >> >> On Mon, Jul 17, 2017 at 7:45 AM, Michail Kargakis <[email protected]> >> wrote: >>> >>> What if someone has granted extra access to one of the default service >>> accounts? Custom deployments (and I imagine builds too) >>> may not work w/o granting extra permissions, depending on what the >>> deployer/builder is actually doing. >>> >>> On Mon, Jul 17, 2017 at 1:31 PM, Devan Goodwin <[email protected]> >>> wrote: >>>> >>>> I've been working on project archival for online, with regard to >>>> service accounts we may need to export those created manually by the >>>> user, and skip those created automatically by OpenShift when we >>>> created the project. >>>> >>>> There does not appear to be any information on those service accounts >>>> to identify that it was automatically created by OpenShift: >>>> >>>> - apiVersion: v1 >>>> imagePullSecrets: >>>> - name: deployer-dockercfg-t2ckf >>>> kind: ServiceAccount >>>> metadata: >>>> creationTimestamp: 2017-07-12T14:48:19Z >>>> name: deployer >>>> namespace: myproject >>>> >>>> >>>> Is assuming the service accounts with names "builder", "deployer", and >>>> "default" a stable set we could count on for skipping during an >>>> export? >>>> >>>> Would it be acceptable to start adding an annotation to these service >>>> accounts similar to what we do for secrets that are attached to those >>>> SAs? >>>> >>>> kind: Secret >>>> metadata: >>>> annotations: >>>> kubernetes.io/created-by: openshift.io/create-dockercfg-secrets >>>> >>>> Perhaps in this case "openshift.io/default-service-accounts"? >>>> (suggestions welcome) >>>> >>>> If so, is there any established precedent for migrating pre-existing >>>> builder/deployer/default SAs to add the annotation during an upgrade? >>>> >>>> Thanks! >>>> >>>> Devan >>>> >>>> _______________________________________________ >>>> dev mailing list >>>> [email protected] >>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >>> >>> >>> >>> _______________________________________________ >>> dev mailing list >>> [email protected] >>> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >>> >> >> >> _______________________________________________ >> dev mailing list >> [email protected] >> http://lists.openshift.redhat.com/openshiftmm/listinfo/dev >> > > > _______________________________________________ > dev mailing list > [email protected] > http://lists.openshift.redhat.com/openshiftmm/listinfo/dev > _______________________________________________ dev mailing list [email protected] http://lists.openshift.redhat.com/openshiftmm/listinfo/dev
