Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Better handling of pre-existing service accounts by the rbac-manager operator #386

Open
chaitanyakolluru opened this issue Apr 20, 2023 · 2 comments
Open

Better handling of pre-existing service accounts by the rbac-manager operator #386

chaitanyakolluru opened this issue Apr 20, 2023 · 2 comments
Labels
enhancement Adding additional functionality or improvements pinned Prevents stalebot from removing priority: could Future work depending on bandwidth and availability

Comments

@chaitanyakolluru
Copy link

We have few service accounts that are created outside of our rbacDefinitions and the rbac-manager operator logs show attempts to create each service account whenever it tries to reconcile service accounts on the cluster. Outside of adding label rbac-manager=reactiveops to those pre-existing service accounts there isn't a way for us to prevent rbac-manager from trying to create those service accounts.

I believe there should be a new label that rbac-manager looks for so we can manage service accounts we don't want rbac-manager trying to create upon reconciliation.

One option is to add the label to our pre-existing service accounts, but not sure if that brings in unforeseen issues.

Logs for rbac-manager show repeated error logs attempting to create service account created outside of rbacDefinitions.
@chaitanyakolluru chaitanyakolluru added enhancement Adding additional functionality or improvements triage This bug needs triage labels Apr 20, 2023
@sudermanjr
Copy link
Member

Thanks! We definitely need to reconsider some of the service account management in general. Probably at the same time we can address #137

@sudermanjr sudermanjr added priority: could Future work depending on bandwidth and availability pinned Prevents stalebot from removing and removed triage This bug needs triage labels May 15, 2023
@eryalito
Copy link
Contributor

eryalito commented Oct 2, 2023

Hey! I want to bump this up with an idea I got from this comment: #137 (comment)

Would you consider accepting a feature to avoid creating (or trying to create) SAs with a specific field on each SA definition? (With default value to create the serviceaccount to preserve backwards compatibility)
So a RBD example that DO NOT create/sync the SA would look like:

apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
  name: robot-rbac
rbacBindings:
  - name: robot-ci
    subjects:
      - kind: ServiceAccount
        namespace: app
        name: robot
        createServiceAccount: false
    roleBindings:
      - clusterRole: edit
        namespace: app

So when createServiceAccount is defined and set to false rbac-manager wouldn't create or sync the SA -also if imagePullsSecrets are defined they won't be created-.

I'm not sure about the name of it would be better to be defined at RBD level and applied to all of the SAs. What are your thoughts on this?

@sudermanjr sudermanjr mentioned this issue Oct 11, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement Adding additional functionality or improvements pinned Prevents stalebot from removing priority: could Future work depending on bandwidth and availability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@sudermanjr @chaitanyakolluru @eryalito