View Issue Details

IDProjectCategoryView StatusLast Update
0015071BuildsysCi.centos.org Ecosystem Testingpublic2018-07-30 21:43
ReporterMartin.Pitt 
PrioritylowSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
Summary0015071: [cockpit project] Please add service account that can create Jobs
DescriptionTo robustify, secure, and parallelize our Cockpit infrastructure, it would be nice if a "webhook" pod could create [Kubernetes Jobs](https://kubernetes.io/docs/concepts/workloads/controllers/jobs-run-to-completion/) that spawns a new pod, let it do the actual task (like doing a cockpit or welder-web release), and die again. The "webhook" pod listens to GitHub webhook requests, and should have as little privileges as possible.

As far as I understand the documentation, this should be done with having a service account that is able to create/delete Jobs, and nothing else. In particular, I *don't* want to copy my own user credentials (or rather, stefw's in this case) into the pod, as that would be equivalent to fully administrative access to the whole "cockpit" project, not gain any isolation, and put the user credentials in jeopardy (leaking through possible security vulnerabilities in web servers, etc.).

So the user "stefw" can create Jobs:

    $oc auth can-i create jobs
    yes

but that user cannot create a new service account that can create jobs. Nor can any of the default system accounts like `deployer`.

I tried to create a `create-job` service account with this YAML:

```yaml
---
apiVersion: v1
kind: List
items:
- kind: ServiceAccount
  apiVersion: v1
  metadata:
    name: create-job
    namespace: cockpit

- kind: Role
  apiVersion: rbac.authorization.k8s.io/v1beta1
  metadata:
    namespace: cockpit
    name: job-creator
  rules:
    apiGroups: [""] # "" indicates the core API group
    resources: ["jobs"]
    verbs: ["create", "list", "delete"]

- kind: RoleBinding
  apiVersion: rbac.authorization.k8s.io/v1beta1
  metadata:
    name: job-creator-binding
    namespace: cockpit
  subjects:
  - kind: ServiceAccount
    name: create-job
    namespace: cockpit
  roleRef:
    kind: Role
    name: job-creator
    apiGroup: rbac.authorization.k8s.io
```
 
but it fails:

    Error from server (Forbidden): User "stefw" cannot create roles.rbac.authorization.k8s.io in project "cockpit"
    Error from server (Forbidden): User "stefw" cannot create rolebindings.rbac.authorization.k8s.io in project "cockpit"

So, can "stefw" (or CentOS CI users in general) be allowed to create Roles and RoleBindings, or can you create that service account for us (that would be fine, I see no reason to change it)?

Or have I thoroughly misunderstood something here? There is a plethora of rather unhelpful and confusing documentation, about
[service accounts](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/), [SCCs](https://blog.openshift.com/understanding-service-accounts-sccs/) (which a non-admin user doesn't have access to, AFAICS), [authorization and role bindings](https://docs.openshift.com/container-platform/3.6/architecture/additional_concepts/authorization.html), [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/), [pod security policies](https://kubernetes.io/docs/concepts/policy/pod-security-policy/).

Thanks!
TagsNo tags attached.

Activities

bstinson

bstinson

2018-07-25 20:14

administrator   ~0032355

I'll see if we can get that role/rolebinding created, after that i *think* you can create service accounts attached to that (since you're an admin on the project). I'll update here when that's done.

I would ask, if you're doing this yourself that we get you credentials on that project separately to avoid sharing with stefw.
Martin.Pitt

Martin.Pitt

2018-07-26 10:35

reporter   ~0032360

Thanks, sounds good!

Wrt. credentials for myself on the cockpit project, should I file a new ticket for that here? Or somewhere else? Indeed I'm doing this in stefw's stead.
bstinson

bstinson

2018-07-26 14:15

administrator   ~0032362

I added the SA and the role{,binding} as requested.

Consider your account requested, and I'll send credentials.
Martin.Pitt

Martin.Pitt

2018-07-26 15:21

reporter   ~0032363

Thanks Brian! For committing the objects to git (in case we need to replicate them in the future), did you use that exact YAML, or did you make some modifications?
bstinson

bstinson

2018-07-26 20:54

administrator   ~0032367

I made some modifications, but they're temporary due to the fact that we're still running Origin 3.6 (which is before Roles/Rolebindings migrated to take advantage of kube rbac objects).

I'll send you a copy with your new credentials

Issue History

Date Modified Username Field Change
2018-07-17 16:06 Martin.Pitt New Issue
2018-07-25 20:14 bstinson Note Added: 0032355
2018-07-26 10:35 Martin.Pitt Note Added: 0032360
2018-07-26 14:15 bstinson Note Added: 0032362
2018-07-26 15:21 Martin.Pitt Note Added: 0032363
2018-07-26 20:54 bstinson Note Added: 0032367
2018-07-30 21:43 bstinson Status new => resolved
2018-07-30 21:43 bstinson Resolution open => fixed