Skip to content
This repository has been archived by the owner on Aug 12, 2024. It is now read-only.

Use non-default service account for unpacker pods #374

Open
akihikokuroda opened this issue May 16, 2022 · 3 comments
Open

Use non-default service account for unpacker pods #374

akihikokuroda opened this issue May 16, 2022 · 3 comments
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Milestone
backlog

Comments

@akihikokuroda
Copy link
Member

The unpacker pods are using the default service account in the provisioner namespace (rukpak-system). It is not good practice from security point of view.
@akihikokuroda akihikokuroda mentioned this issue May 16, 2022
Merged
@akihikokuroda
Copy link
Member Author

There are 2 options:

  • use the hardcoded service account other than default
  • Add an optional service account name in the ImageSource API.

WDYT?

@timflannagan timflannagan added the priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. label May 26, 2022
@timflannagan timflannagan added this to the backlog milestone May 26, 2022
@joelanford
Copy link
Member

My two cents:

  1. We should use something other than the default SA as our default. I'd suggest putting that SA in our kustomize manifests and updating our image source to use the same name. Ideally, that default SA name would be a flag passed in to the binary, so that it could be overridden at runtime (but I know that means expanding the function parameter list for source.NewDefaultUnpacker())
  2. We should add a bundle.spec.source.image.serviceAccountName. If set, that would override the default from 1)

@github-actions
Copy link

github-actions bot commented Nov 2, 2022

This issue has become stale because it has been open 60 days with no activity. The maintainers of this repo will remove this label during issue triage or it will be removed automatically after an update. Adding the lifecycle/frozen label will cause this issue to ignore lifecycle events.

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 2, 2022
@joelanford joelanford added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Nov 2, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
backlog
Development

No branches or pull requests
3 participants
@joelanford @timflannagan @akihikokuroda