kuryr-kubernetes

Split kuryr-controller and kuryr-cni ServiceAccounts

Bug #1764783 reported by Michal Dulko on 2018-04-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	kuryr-kubernetes	Fix Released	Low	Tabitha Fasoyin

Bug Description

When introducing containerized Kuryr deployment we've only needed ServiceAccount for kuryr-controller Pod, as only it was connecting to K8s API. Now with kuryr-daemon being the default the kuryr-cni Pod needs ServiceAccount as well. We've used existing kuryr-controller SA, but those two should be split into two SA restricted only to paths that each of the containers needs (e.g. kuryr-cni doesn't need access to Service resource).

Besides that in case of OpenShift only kuryr-cni SA should require access to root privileges.

Tags:

Michal Dulko (michal-dulko-f) on 2018-04-17

tags:

added: low-hanging-fruit

Tabitha Fasoyin (tabbie-fash) on 2020-10-21

Changed in kuryr-kubernetes:
status:	New → Confirmed
assignee:	nobody → Tabitha Fasoyin (tabbie-fash)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-10-25: Fix proposed to kuryr-kubernetes (master)

Fix proposed to branch: master
Review: https://review.opendev.org/759600

Changed in kuryr-kubernetes:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2020-10-28: Fix merged to kuryr-kubernetes (master)

Reviewed: https://review.opendev.org/759600
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=6a6e4907e5c57277bd998acfe2402ed5b8057326
Submitter: Zuul
Branch: master

commit 6a6e4907e5c57277bd998acfe2402ed5b8057326
Author: Tabitha <email address hidden>
Date: Sun Oct 25 22:27:25 2020 +0100

Splits kuryr-controller and kuryr-cni ServiceAccounts

    The same ServiceAccount was used for kuryr-controller and kuryr-cni.
    This change splits the ServiceAccount, generates two ServiceAccounts,
    controller_service_account.yaml and cni_service_account.yaml and
    applies them.The documentation, Kuryr installation as kubernetes addon
    network addon was also updated to reflect this change.

Change-Id: I567aaa38f5498af4641e06002b808915dd467aec
Closes-Bug: #1764783

Changed in kuryr-kubernetes:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2021-03-25: Fix included in openstack/kuryr-kubernetes 4.0.0.0rc1

This issue was fixed in the openstack/kuryr-kubernetes 4.0.0.0rc1 release candidate.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.