New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1411421 added information on linking pods to serviceaccounts #3475
Conversation
20155fc
to
a3b48a0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some suggestions; the change to dev_guide/managing_images.adoc needs to be reverted. Thanks!
@@ -947,6 +947,15 @@ source secrets used. Access is granted with the following command: | |||
$ oc secrets link builder mysecret | |||
---- | |||
|
|||
[NOTE] | |||
==== | |||
As of {product-title} version 3.0.2, limiting secrets to only the service |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
("3.0.2" only applies when {product-title} is OCP)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
slightly clumsy wording, maybe just easier to say something along the lines of: if limitSecretReferences is false (default), this step is not required ?
accounts that reference them is disabled by default. This means that unless | ||
`serviceAccountConfig.limitSecretReferences` is set to `true` in the master | ||
configuration file, linking secrets to a service account will do | ||
nothing. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"is not required" may be better than "will do nothing"
@@ -477,8 +477,9 @@ $ oc secrets new-dockercfg <pull_secret_name> \ | |||
--docker-password=<password> --docker-email=<email> | |||
---- | |||
|
|||
To use a secret for pulling images for pods, you must add the secret to your | |||
service account. The name of the service account in this example should match | |||
If `serviceAccountConfig.limitSecretReferences` is set to `true` in the master |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe this paragraph change is wrong and should be reverted: --for=pull and serviceAccountConfig.limitSecretReferences are separate things.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jim-minter Sorry, maybe I'm missing something. Is that not what you meant in the BZ:
"https://docs.openshift.com/container-platform/3.3/dev_guide/managing_images.html / Allowing Pods to Reference Images from Other Secured Registries
- the advice about 'oc secrets link' is superfluous unless serviceAccountConfig.limitSecretReferences is on, which it is probably not in the majority of installs."
Am I missing something obvious?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The BZ wasn't desperately clear (sorry), but did mention not to review the 'oc secrets link --for=pull' case(s), of which this is one. serviceAccountConfig.limitSecretReferences being enabled affects the requirement to run 'oc secrets link' or 'oc secrets link --for=mount', but not 'oc secrets link --for=pull'.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jim-minter OK. I'm still a bit confused why this was mentioned in the initial BZ, but I've reverted it. Let me know if this still is not what you're requesting.
@@ -170,6 +170,15 @@ To allow a secret to be mounted by a service account's pods, run: | |||
$ oc secrets link --for=mount <serviceaccount-name> <secret-name> | |||
---- | |||
|
|||
[NOTE] | |||
==== | |||
As of {product-title} version 3.0.2, limiting secrets to only the service |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same notes as above apply
@@ -76,6 +76,15 @@ $ oc secrets link registry registry-secret | |||
$ oc secrets link default registry-secret | |||
---- | |||
+ | |||
[NOTE] | |||
==== | |||
As of {product-title} version 3.0.2, limiting secrets to only the service |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same notes as above apply
@@ -170,6 +170,15 @@ To allow a secret to be mounted by a service account's pods, run: | |||
$ oc secrets link --for=mount <serviceaccount-name> <secret-name> | |||
---- | |||
|
|||
[NOTE] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here you follow a section discussing --for=pull and --for=mount; it may be good to be clearer that the NOTE refers to --for=mount (which is also implied if no --for= is specified) only.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jim-minter I see what you mean, which is why I made sure the last part of the note box says "...mounting secrets to a service account's pods is not required." Or did you mean that it should be more obvious?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I hadn't spotted the wording change (so IMO it's not clear enough ;). Now I re-read it, I'm concerned that the following statement is actually not true and doesn't make sense:
unless
serviceAccountConfig.limitSecretReferences
is set totrue
in the master configuration file, mounting secrets to a service account's pods will do nothing.
Something like the following would make sense:
if the admin has set limitSecretReferences to false (default), it is not required to use oc link --for=mount to enable use of a mountable secret by a service account. However oc link --for=pull is always required to enable use of an image pull secret, regardless of the value of limitSecretReferences.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK. I combined the two. Should be better now.
38c2ada
to
33bbba1
Compare
@gaurav-nelson @ahardin-rh @bmcelvee This should be ok for peer review now ⭐ |
==== | ||
Limiting secrets to only the service accounts that reference them is disabled by | ||
default. This means that if `serviceAccountConfig.limitSecretReferences` is set | ||
to `false` (the default setting)) in the master configuration file, linking |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
double ))
==== | ||
Limiting secrets to only the service accounts that reference them is disabled by | ||
default. This means that if `serviceAccountConfig.limitSecretReferences` is set | ||
to `false` (the default setting)) in the master configuration file, linking |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
double ))
apart from the double ))s, lgtm, thanks |
33bbba1
to
817b9f6
Compare
@@ -947,6 +947,14 @@ source secrets used. Access is granted with the following command: | |||
$ oc secrets link builder mysecret | |||
---- | |||
|
|||
[NOTE] | |||
==== | |||
Limiting secrets to only the service accounts that reference them is disabled by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to only the → only to the
@@ -170,6 +170,17 @@ To allow a secret to be mounted by a service account's pods, run: | |||
$ oc secrets link --for=mount <serviceaccount-name> <secret-name> | |||
---- | |||
|
|||
[NOTE] | |||
==== | |||
Limiting secrets to only the service accounts that reference them is disabled by |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same as above for all instances
minor change, everything else is fine. ☑️ |
@gaurav-nelson As discussed face-to-face, Going to leave it as is. If there's nothing else, I'll merge this. |
[rev_history] |
As per: https://bugzilla.redhat.com/show_bug.cgi?id=1411421
@jim-minter I'll ask again in the BZ, but can I get an ack this fulfills the request? I am wondering if I've gotten some of the wording wrong. It's hard to tell with the info that's there...
Thanks!