Split kuryr-controller and kuryr-cni ServiceAccounts

Bug #1764783 reported by Michal Dulko on 2018-04-17
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Tabitha Fasoyin

Bug Description

When introducing containerized Kuryr deployment we've only needed ServiceAccount for kuryr-controller Pod, as only it was connecting to K8s API. Now with kuryr-daemon being the default the kuryr-cni Pod needs ServiceAccount as well. We've used existing kuryr-controller SA, but those two should be split into two SA restricted only to paths that each of the containers needs (e.g. kuryr-cni doesn't need access to Service resource).

Besides that in case of OpenShift only kuryr-cni SA should require access to root privileges.

tags: added: low-hanging-fruit
Changed in kuryr-kubernetes:
status: New → Confirmed
assignee: nobody → Tabitha Fasoyin (tabbie-fash)

Fix proposed to branch: master
Review: https://review.opendev.org/759600

Changed in kuryr-kubernetes:
status: Confirmed → In Progress

Reviewed: https://review.opendev.org/759600
Committed: https://git.openstack.org/cgit/openstack/kuryr-kubernetes/commit/?id=6a6e4907e5c57277bd998acfe2402ed5b8057326
Submitter: Zuul
Branch: master

commit 6a6e4907e5c57277bd998acfe2402ed5b8057326
Author: Tabitha <email address hidden>
Date: Sun Oct 25 22:27:25 2020 +0100

    Splits kuryr-controller and kuryr-cni ServiceAccounts

    The same ServiceAccount was used for kuryr-controller and kuryr-cni.
    This change splits the ServiceAccount, generates two ServiceAccounts,
    controller_service_account.yaml and cni_service_account.yaml and
    applies them.The documentation, Kuryr installation as kubernetes addon
    network addon was also updated to reflect this change.

    Change-Id: I567aaa38f5498af4641e06002b808915dd467aec
    Closes-Bug: #1764783

Changed in kuryr-kubernetes:
status: In Progress → Fix Released

This issue was fixed in the openstack/kuryr-kubernetes release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers