25. appstudio-pipeline Service Account

Date: 2023-05-30

Status

Accepted

Context

A default service account must be provided to allow Konflux components to run pipelines. While OpenShift Pipelines has the option to automatically create a pipeline ServiceAccount on any namespace, the permissions granted to the account are overly broad and the solution was rejected after a security review. Therefore Konflux must manage this default service account.

Decision

Konflux will provide a service account named appstudio-pipeline.

Ownership

The Pipeline Service component owns the appstudio-pipeline-scc ClusterRole.

The CodeReadyToolchain is in charge of:

creating the appstudio-pipeline ServiceAccount on all tenant namespaces,
creating the appstudio-pipeline-runner ClusterRole,
granting the appstudio-pipeline-runner and appstudio-pipeline-scc ClusterRoles to the appstudio-pipeline ServiceAccount.

ClusterRoles

appstudio-pipeline-runner

The resource is defined here.

appstudio-pipeline-scc

The resource is defined here.

Consequences

Tekton Pipelines users using the pipeline service account must migrate to the new appstudio-pipeline ServiceAccount.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

0025-appstudio-pipeline-serviceaccount.md

0025-appstudio-pipeline-serviceaccount.md

25. appstudio-pipeline Service Account

Status

Context

Decision

Ownership

ClusterRoles

appstudio-pipeline-runner

appstudio-pipeline-scc

Consequences

Files

0025-appstudio-pipeline-serviceaccount.md

Latest commit

History

0025-appstudio-pipeline-serviceaccount.md

File metadata and controls

25. appstudio-pipeline Service Account

Status

Context

Decision

Ownership

ClusterRoles

appstudio-pipeline-runner

appstudio-pipeline-scc

Consequences