Comment 1 for bug 1837446

After some investigation and tests, the following service users are considered safe to be removed:
murano
rabbitmq
glance
cinder
nfv
heat
panko
gnocchi
aodh
magnum

And the following host users' login shell can be disabled with "/sbin/nologin":
ceilometer
keystone

Some of openstack services have privileged containers (ceilometer, ironic, libvirt, neutron and nova) that have almost the same privilege as processes running on bare metal, and have access and can manipulate host resources (including users and groups). Their service users on host are risky to remove. One example is "neutron" where neutron-ovs-agent-init container has reference to host user "neotron" as following:

controller-0:/scratch/apps/stx-openstack/1.0-17-centos-stable-versioned/charts/# docker logs k8s_neutron-ovs-agent-init_neutron-ovs-agent-controller-0-dec13249-jpmt9_openstack_61d1de52-afc9-11e9-b90c-90e2ba508e90_35
+ chown neutron: /run/openvswitch/db.sock
chown: invalid spec: 'neutron:'

If host user "neutron" doesn't exist, neutron-ovs-agent-init will fail and cause all pods depend on it to also fail.

So the following service users (group) will be kept:
neutron
ceilometer
ironic
nova
libvirt (it's a group not a user)