security: Operator and Toolbox SCC for default service account on OpenShift #13936
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
travisn
force-pushed
the
default-serviceaccount-scc
branch
from
d96f5ae to
d594510
Compare
parth-gr
approved these changes
Mar 15, 2024
| @@ -22,6 +22,7 @@ spec: | |||
| app: rook-ceph-tools-operator-image | |||
| spec: | |||
| dnsPolicy: ClusterFirstWithHostNet | |||
| serviceAccountName: rook-ceph-default | |||
There was a problem hiding this comment.
Does that mean toolbox deployment should also use the default service account created by rook, instead of k8s default service account?
There was a problem hiding this comment.
Yes, toolbox needs to use the service account, it's updated below as well.
|
we may need to backport it to 1.13 since required for download also |
What's required for 1.13? The new default service account is only expected in 1.14 |
travisn
force-pushed
the
default-serviceaccount-scc
branch
from
d594510 to
3a93a72
Compare
|
@travisn I think Subham means for the downstream, but we have a separate pr for it red-hat-storage/ocs-operator#2511 |
The default service account access is needed for the operator and the toolbox to run on openshift. This is a follow-up from PR 13362 that created a new default service account to use with all ceph or rook components that were relying on the default service account. Signed-off-by: Travis Nielsen <[email protected]>
travisn
force-pushed
the
default-serviceaccount-scc
branch
from
3a93a72 to
3e54055
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The default service account access is needed for the operator and the toolbox to run on openshift. This is a follow-up from #13362 that created a new default service account to use with all ceph or rook components that were relying on the default service account.
Checklist: