On Mon, Jun 25, 2018 at 12:09 PM, Andrew Feller <afel...@bandwidth.com> wrote:
> Is there any reason not to use the OpenShift default service accounts > (builder and deployer) > <https://docs.openshift.com/container-platform/3.9/dev_guide/service_accounts.html#default-service-accounts-and-roles> > with > OpenShift jenkins-ephemeral > <https://github.com/openshift/origin/blob/master/examples/jenkins/jenkins-ephemeral-template.json> > and jenkins-persistent > <https://github.com/openshift/origin/blob/master/examples/jenkins/jenkins-persistent-template.json> > templates aside from the templates aren't setup to support it well? > the template creates its own service account so we can grant it a reasonable set of permissions to ensure that the default credentials the jenkins jobs run with, can perform typical actions in your namespace (thus we give it edit permission). The builder SA actually has more permissions than that(namely around running privileged pods), so letting jenkins jobs leverage those credentials could allow jobs to escalate permissions. Is there a reason you don't want to use the SA the template creates? > > We haven't found any decisive content around the subject as the Developer > Guide presents these as the intended direction, however it doesn't really > elaborate why and what potential problems it could cause. We haven't tried > customizing these templates to see if it's feasible as it'll take some > alterations. > > Appreciate any feedback! > Andy > -- > > [image: BandwidthMaroon.png] > > Andy Feller • Sr DevOps Engineer > > 900 Main Campus Drive, Suite 500, Raleigh, NC 27606 > > > e: afel...@bandwidth.com > > _______________________________________________ > users mailing list > users@lists.openshift.redhat.com > http://lists.openshift.redhat.com/openshiftmm/listinfo/users > > -- Ben Parees | OpenShift
_______________________________________________ users mailing list users@lists.openshift.redhat.com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
