Skip to content

Remove pre-defined role for service accounts #856

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Remove pre-defined role for service accounts #856

wants to merge 1 commit into from

Conversation

lingyzhuang
Copy link
Contributor

@lingyzhuang lingyzhuang commented Jun 10, 2025
edited
Loading

In _common/_service-account.tpl file:

  1. Create ServiceAccount
  2. Create ClusterRole with permissions read/create/delete/patch to secrets. Bind this role to namespaces .Release.Namespace and tssc
  3. Create read-only ClusterRole, do ClusterRoleBinding for this role
  4. RoleBinding binds a role to a specific namespace (.Release.Namespace

Remove Cluster-admin ClusterRole, use read-only ClusterRole and secret read-write ClusterRole instead.

ServiceAccount in chart tssc-gitops needs all verbs to all the resources to do some configurations, so create a Role and bind it to namespace tssc-gitops.

Jira: RHTAP-4880

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jun 10, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@lingyzhuang lingyzhuang force-pushed the remove-pre-defined-role branch 5 times, most recently from 8c5321b to 7e4a357 Compare June 12, 2025 08:50
@lingyzhuang lingyzhuang marked this pull request as ready for review June 12, 2025 11:11
@openshift-ci openshift-ci bot requested review from jkopriva and prietyc123 June 12, 2025 11:11
@lingyzhuang lingyzhuang requested a review from Roming22 June 12, 2025 11:11
Roming22
Roming22 reviewed Jun 12, 2025
View reviewed changes
@lingyzhuang lingyzhuang force-pushed the remove-pre-defined-role branch from 7e4a357 to e709faf Compare June 13, 2025 14:15
Roming22
Roming22 reviewed Jun 13, 2025
View reviewed changes
@lingyzhuang lingyzhuang force-pushed the remove-pre-defined-role branch from e709faf to 392b3a3 Compare June 13, 2025 15:45
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Roming22
Roming22 approved these changes Jun 13, 2025
View reviewed changes
Copy link
Member

@Roming22 Roming22 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Jun 13, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jun 13, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: lingyzhuang, Roming22

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@konflux-ci-qe-bot
Copy link

@lingyzhuang: The following test has Failed, say /retest to rerun failed tests.

PipelineRun Name Status Rerun command Build Log Test Log
e2e-4.17-jm4z5 Failed /retest View Pipeline Log View Test Logs

Inspecting Test Artifacts

To inspect your test artifacts, follow these steps:

  1. Install ORAS (see the ORAS installation guide).
  2. Download artifacts with the following commands:
mkdir -p oras-artifacts
cd oras-artifacts
oras pull quay.io/konflux-test-storage/rhtap-team/rhtap-cli:e2e-4.17-jm4z5

Test results analysis

<not enabled>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Roming22 Roming22 Roming22 approved these changes

@jkopriva jkopriva Awaiting requested review from jkopriva

@prietyc123 prietyc123 Awaiting requested review from prietyc123

Assignees

@Roming22 Roming22

Labels
approved lgtm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lingyzhuang @konflux-ci-qe-bot @Roming22