View Issue Details

IDProjectCategoryView StatusLast Update
0015071CentOS CI[All Projects] generalpublic2020-01-29 16:39
Status resolvedResolutionfixed 
Summary0015071: [cockpit project] Please add service account that can create Jobs
DescriptionTo robustify, secure, and parallelize our Cockpit infrastructure, it would be nice if a "webhook" pod could create [Kubernetes Jobs]( that spawns a new pod, let it do the actual task (like doing a cockpit or welder-web release), and die again. The "webhook" pod listens to GitHub webhook requests, and should have as little privileges as possible.

As far as I understand the documentation, this should be done with having a service account that is able to create/delete Jobs, and nothing else. In particular, I *don't* want to copy my own user credentials (or rather, stefw's in this case) into the pod, as that would be equivalent to fully administrative access to the whole "cockpit" project, not gain any isolation, and put the user credentials in jeopardy (leaking through possible security vulnerabilities in web servers, etc.).

So the user "stefw" can create Jobs:

    $oc auth can-i create jobs

but that user cannot create a new service account that can create jobs. Nor can any of the default system accounts like `deployer`.

I tried to create a `create-job` service account with this YAML:

apiVersion: v1
kind: List
- kind: ServiceAccount
  apiVersion: v1
    name: create-job
    namespace: cockpit

- kind: Role
    namespace: cockpit
    name: job-creator
    apiGroups: [""] # "" indicates the core API group
    resources: ["jobs"]
    verbs: ["create", "list", "delete"]

- kind: RoleBinding
    name: job-creator-binding
    namespace: cockpit
  - kind: ServiceAccount
    name: create-job
    namespace: cockpit
    kind: Role
    name: job-creator
but it fails:

    Error from server (Forbidden): User "stefw" cannot create in project "cockpit"
    Error from server (Forbidden): User "stefw" cannot create in project "cockpit"

So, can "stefw" (or CentOS CI users in general) be allowed to create Roles and RoleBindings, or can you create that service account for us (that would be fine, I see no reason to change it)?

Or have I thoroughly misunderstood something here? There is a plethora of rather unhelpful and confusing documentation, about
[service accounts](, [SCCs]( (which a non-admin user doesn't have access to, AFAICS), [authorization and role bindings](, [RBAC](, [pod security policies](

TagsNo tags attached.




2018-07-25 20:14

administrator   ~0032355

I'll see if we can get that role/rolebinding created, after that i *think* you can create service accounts attached to that (since you're an admin on the project). I'll update here when that's done.

I would ask, if you're doing this yourself that we get you credentials on that project separately to avoid sharing with stefw.


2018-07-26 10:35

reporter   ~0032360

Thanks, sounds good!

Wrt. credentials for myself on the cockpit project, should I file a new ticket for that here? Or somewhere else? Indeed I'm doing this in stefw's stead.


2018-07-26 14:15

administrator   ~0032362

I added the SA and the role{,binding} as requested.

Consider your account requested, and I'll send credentials.


2018-07-26 15:21

reporter   ~0032363

Thanks Brian! For committing the objects to git (in case we need to replicate them in the future), did you use that exact YAML, or did you make some modifications?


2018-07-26 20:54

administrator   ~0032367

I made some modifications, but they're temporary due to the fact that we're still running Origin 3.6 (which is before Roles/Rolebindings migrated to take advantage of kube rbac objects).

I'll send you a copy with your new credentials

Issue History

Date Modified Username Field Change
2018-07-17 16:06 Martin.Pitt New Issue
2018-07-25 20:14 bstinson Note Added: 0032355
2018-07-26 10:35 Martin.Pitt Note Added: 0032360
2018-07-26 14:15 bstinson Note Added: 0032362
2018-07-26 15:21 Martin.Pitt Note Added: 0032363
2018-07-26 20:54 bstinson Note Added: 0032367
2018-07-30 21:43 bstinson Status new => resolved
2018-07-30 21:43 bstinson Resolution open => fixed
2020-01-29 16:39 arrfab Project Buildsys => CentOS CI
2020-01-29 16:39 arrfab Category Ecosystem Testing => general