Bug 1411421 added information on linking pods to serviceaccounts #3475
Conversation
bfallonf
force-pushed
the
secrets_1411421
branch
from
20155fc
to
a3b48a0
Compare
| @@ -947,6 +947,15 @@ source secrets used. Access is granted with the following command: | |||
| $ oc secrets link builder mysecret | |||
| ---- | |||
|
|
|||
| [NOTE] | |||
| ==== | |||
| As of {product-title} version 3.0.2, limiting secrets to only the service | |||
There was a problem hiding this comment.
("3.0.2" only applies when {product-title} is OCP)
There was a problem hiding this comment.
slightly clumsy wording, maybe just easier to say something along the lines of: if limitSecretReferences is false (default), this step is not required ?
| accounts that reference them is disabled by default. This means that unless | ||
| `serviceAccountConfig.limitSecretReferences` is set to `true` in the master | ||
| configuration file, linking secrets to a service account will do | ||
| nothing. |
There was a problem hiding this comment.
"is not required" may be better than "will do nothing"
| @@ -477,8 +477,9 @@ $ oc secrets new-dockercfg <pull_secret_name> \ | |||
| --docker-password=<password> --docker-email=<email> | |||
| ---- | |||
|
|
|||
| To use a secret for pulling images for pods, you must add the secret to your | |||
| service account. The name of the service account in this example should match | |||
| If `serviceAccountConfig.limitSecretReferences` is set to `true` in the master | |||
There was a problem hiding this comment.
I believe this paragraph change is wrong and should be reverted: --for=pull and serviceAccountConfig.limitSecretReferences are separate things.
There was a problem hiding this comment.
@jim-minter Sorry, maybe I'm missing something. Is that not what you meant in the BZ:
"https://docs.openshift.com/container-platform/3.3/dev_guide/managing_images.html / Allowing Pods to Reference Images from Other Secured Registries
- the advice about 'oc secrets link' is superfluous unless serviceAccountConfig.limitSecretReferences is on, which it is probably not in the majority of installs."
Am I missing something obvious?
There was a problem hiding this comment.
The BZ wasn't desperately clear (sorry), but did mention not to review the 'oc secrets link --for=pull' case(s), of which this is one. serviceAccountConfig.limitSecretReferences being enabled affects the requirement to run 'oc secrets link' or 'oc secrets link --for=mount', but not 'oc secrets link --for=pull'.
There was a problem hiding this comment.
@jim-minter OK. I'm still a bit confused why this was mentioned in the initial BZ, but I've reverted it. Let me know if this still is not what you're requesting.
| @@ -170,6 +170,15 @@ To allow a secret to be mounted by a service account's pods, run: | |||
| $ oc secrets link --for=mount <serviceaccount-name> <secret-name> | |||
| ---- | |||
|
|
|||
| [NOTE] | |||
| ==== | |||
| As of {product-title} version 3.0.2, limiting secrets to only the service | |||
| @@ -76,6 +76,15 @@ $ oc secrets link registry registry-secret | |||
| $ oc secrets link default registry-secret | |||
| ---- | |||
| + | |||
| [NOTE] | |||
| ==== | |||
| As of {product-title} version 3.0.2, limiting secrets to only the service | |||
| @@ -170,6 +170,15 @@ To allow a secret to be mounted by a service account's pods, run: | |||
| $ oc secrets link --for=mount <serviceaccount-name> <secret-name> | |||
| ---- | |||
|
|
|||
| [NOTE] | |||
There was a problem hiding this comment.
here you follow a section discussing --for=pull and --for=mount; it may be good to be clearer that the NOTE refers to --for=mount (which is also implied if no --for= is specified) only.
There was a problem hiding this comment.
@jim-minter I see what you mean, which is why I made sure the last part of the note box says "...mounting secrets to a service account's pods is not required." Or did you mean that it should be more obvious?
There was a problem hiding this comment.
Ah, I hadn't spotted the wording change (so IMO it's not clear enough ;). Now I re-read it, I'm concerned that the following statement is actually not true and doesn't make sense:
unless
serviceAccountConfig.limitSecretReferencesis set totruein the master configuration file, mounting secrets to a service account's pods will do nothing.
Something like the following would make sense:
if the admin has set limitSecretReferences to false (default), it is not required to use oc link --for=mount to enable use of a mountable secret by a service account. However oc link --for=pull is always required to enable use of an image pull secret, regardless of the value of limitSecretReferences.
There was a problem hiding this comment.
OK. I combined the two. Should be better now.
bfallonf
force-pushed
the
secrets_1411421
branch
2 times, most recently
from
38c2ada
to
33bbba1
Compare
|
@gaurav-nelson @ahardin-rh @bmcelvee This should be ok for peer review now ⭐ |
| ==== | ||
| Limiting secrets to only the service accounts that reference them is disabled by | ||
| default. This means that if `serviceAccountConfig.limitSecretReferences` is set | ||
| to `false` (the default setting)) in the master configuration file, linking |
| ==== | ||
| Limiting secrets to only the service accounts that reference them is disabled by | ||
| default. This means that if `serviceAccountConfig.limitSecretReferences` is set | ||
| to `false` (the default setting)) in the master configuration file, linking |
|
apart from the double ))s, lgtm, thanks |
bfallonf
force-pushed
the
secrets_1411421
branch
from
33bbba1
to
817b9f6
Compare
| @@ -947,6 +947,14 @@ source secrets used. Access is granted with the following command: | |||
| $ oc secrets link builder mysecret | |||
| ---- | |||
|
|
|||
| [NOTE] | |||
| ==== | |||
| Limiting secrets to only the service accounts that reference them is disabled by | |||
There was a problem hiding this comment.
to only the → only to the
| @@ -170,6 +170,17 @@ To allow a secret to be mounted by a service account's pods, run: | |||
| $ oc secrets link --for=mount <serviceaccount-name> <secret-name> | |||
| ---- | |||
|
|
|||
| [NOTE] | |||
| ==== | |||
| Limiting secrets to only the service accounts that reference them is disabled by | |||
There was a problem hiding this comment.
same as above for all instances
|
minor change, everything else is fine. ☑️ |
|
@gaurav-nelson As discussed face-to-face, Going to leave it as is. If there's nothing else, I'll merge this. |
|
[rev_history] |
As per: https://bugzilla.redhat.com/show_bug.cgi?id=1411421
@jim-minter I'll ask again in the BZ, but can I get an ack this fulfills the request? I am wondering if I've gotten some of the wording wrong. It's hard to tell with the info that's there...
Thanks!