Open
Description
Is there an existing feature request for this?
- I have searched the existing feature requests
Is your feature request related to a problem or use-case? Please describe.
In Shipwright's v1alpha1 API, we had a feature that let the build controller generate service accounts that were scoped only to the build. During the v1beta1 API review, we deemed this feature to be challenging to maintain and a security risk in its own right. We decided to remove it from the API, but preserved the controller logic.
Describe the solution that you would like.
We should remove the service account generation logic in the BuildRun controller. This will help facilitate the removal of the v1alpha1
API.
Describe alternatives you have considered.
N/A.
Anything else?
Related to shipwright-io/cli#304, where we are rendering the CLI's flag to generate SA's inert.
Metadata
Metadata
Assignees
Type
Projects
Status
Milestone
Relationships
Development
No branches or pull requests
Activity
SaschaSchwarze0 commentedon Apr 27, 2025
Related to or maybe even duplicate of #679.
adambkaplan commentedon May 6, 2025
Perhaps related - that discussion is fairly old around Tekton's
creds-init
behavior. My intent was to remove the controller code that could provision a service account per build pipeline.SaschaSchwarze0 commentedon May 7, 2025
Right, but we can only do that once we handle registry credentials on our own.