Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 1411421 added information on linking pods to serviceaccounts #3475

Merged
merged 1 commit into from Jan 17, 2017
Merged

Bug 1411421 added information on linking pods to serviceaccounts #3475

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
8 changes: 8 additions & 0 deletions dev_guide/builds.adoc
View file
Open in desktop
Expand Up @@ -947,6 +947,14 @@ source secrets used. Access is granted with the following command:
$ oc secrets link builder mysecret
----

[NOTE]
====
Limiting secrets to only the service accounts that reference them is disabled by
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to only the → only to the

default. This means that if `serviceAccountConfig.limitSecretReferences` is set
to `false` (the default setting) in the master configuration file, linking
secrets to a service is not required.
====

[[automatic-addition-of-a-source-secret-to-a-build-configuration]]
===== Automatic Addition of a Source Secret to a Build Configuration

Expand Down
11 changes: 11 additions & 0 deletions dev_guide/service_accounts.adoc
View file
Open in desktop
Expand Up @@ -170,6 +170,17 @@ To allow a secret to be mounted by a service account's pods, run:
$ oc secrets link --for=mount <serviceaccount-name> <secret-name>
----

[NOTE]
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

here you follow a section discussing --for=pull and --for=mount; it may be good to be clearer that the NOTE refers to --for=mount (which is also implied if no --for= is specified) only.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jim-minter I see what you mean, which is why I made sure the last part of the note box says "...mounting secrets to a service account's pods is not required." Or did you mean that it should be more obvious?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, I hadn't spotted the wording change (so IMO it's not clear enough ;). Now I re-read it, I'm concerned that the following statement is actually not true and doesn't make sense:

unless serviceAccountConfig.limitSecretReferences is set to true in the master configuration file, mounting secrets to a service account's pods will do nothing.

Something like the following would make sense:

if the admin has set limitSecretReferences to false (default), it is not required to use oc link --for=mount to enable use of a mountable secret by a service account. However oc link --for=pull is always required to enable use of an image pull secret, regardless of the value of limitSecretReferences.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK. I combined the two. Should be better now.

====
Limiting secrets to only the service accounts that reference them is disabled by
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above for all instances

default. This means that if `serviceAccountConfig.limitSecretReferences` is set
to `false` (the default setting) in the master configuration file, mounting
secrets to a service account's pods with the `--for=mount` option is not
required. However, using the `--for=pull` option to enable using an image pull
secret is required, regardless of the
`serviceAccountConfig.limitSecretReferences` value.
====

This example creates and adds secrets to a service account:

====
Expand Down
8 changes: 8 additions & 0 deletions install_config/registry/securing_and_exposing_registry.adoc
View file
Open in desktop
Expand Up @@ -76,6 +76,14 @@ $ oc secrets link registry registry-secret
$ oc secrets link default registry-secret
----
+
[NOTE]
====
Limiting secrets to only the service accounts that reference them is disabled by
default. This means that if `serviceAccountConfig.limitSecretReferences` is set
to `false` (the default setting) in the master configuration file, linking
secrets to a service is not required.
====
+
. Add the secret volume to the registry deployment configuration:
+
----
Expand Down