From 5336fea93d59b713b3af76cc6abd849d45d893ed Mon Sep 17 00:00:00 2001 From: Souvik Sarkar Date: Wed, 19 Jan 2022 17:03:39 +0530 Subject: [PATCH 1/7] RHDEVDOCS-3304 Document default pipelines SA --- modules/3304-delete-later.adoc | 1 + 1 file changed, 1 insertion(+) create mode 100644 modules/3304-delete-later.adoc diff --git a/modules/3304-delete-later.adoc b/modules/3304-delete-later.adoc new file mode 100644 index 000000000000..34c92c2d93d8 --- /dev/null +++ b/modules/3304-delete-later.adoc @@ -0,0 +1 @@ +lorem ipsum \ No newline at end of file From 1625d6f2338a4e7d7b7a0c76eea3a0c86dd6041b Mon Sep 17 00:00:00 2001 From: Souvik Sarkar Date: Wed, 23 Feb 2022 17:16:26 +0530 Subject: [PATCH 2/7] complete draft --- cicd/pipelines/installing-pipelines.adoc | 4 ++ modules/3304-delete-later.adoc | 1 - ...-automatic-creation-of-rbac-resources.adoc | 37 +++++++++++++++++++ 3 files changed, 41 insertions(+), 1 deletion(-) delete mode 100644 modules/3304-delete-later.adoc create mode 100644 modules/op-disabling-automatic-creation-of-rbac-resources.adoc diff --git a/cicd/pipelines/installing-pipelines.adoc b/cicd/pipelines/installing-pipelines.adoc index 38fdf03b6967..bd24eb968ac0 100644 --- a/cicd/pipelines/installing-pipelines.adoc +++ b/cicd/pipelines/installing-pipelines.adoc @@ -36,6 +36,10 @@ include::modules/op-installing-pipelines-operator-using-the-cli.adoc[leveloffset include::modules/op-pipelines-operator-in-restricted-environment.adoc[leveloffset=+1] +// Disabling the default `pipeline` service account + +include::modules/op-disabling-automatic-creation-of-rbac-resources.adoc[leveloffset=+1] + [role="_additional-resources"] == Additional resources diff --git a/modules/3304-delete-later.adoc b/modules/3304-delete-later.adoc deleted file mode 100644 index 34c92c2d93d8..000000000000 --- a/modules/3304-delete-later.adoc +++ /dev/null @@ -1 +0,0 @@ -lorem ipsum \ No newline at end of file diff --git a/modules/op-disabling-automatic-creation-of-rbac-resources.adoc b/modules/op-disabling-automatic-creation-of-rbac-resources.adoc new file mode 100644 index 000000000000..648f2fea5e94 --- /dev/null +++ b/modules/op-disabling-automatic-creation-of-rbac-resources.adoc @@ -0,0 +1,37 @@ +// Module included in the following assemblies: +// +// */openshift_pipelines/installing-pipelines.adoc +[id="op-disabling-automatic-creation-of-rbac-resources_{context}"] += Disabling the automatic creation of RBAC resources + +After default installation, the {pipelines-title} Operator creates multiple Role Based Access Control (RBAC) resources for all namespaces in the cluster. Among them, the `pipelines-scc-rolebinding` SCC role binding resource is a potential security issue, because the associated `pipelines-scc` Security Context Constraint has `RunAsAny` privilege. + +To disable the automatic creation of cluster-wide RBAC resources after the {pipelines-title} Operator is installed, cluster administrators can set the `createRbacResource` parameter to `false` in the cluster level `TektonConfig` custom resource. + +.Example `TektonConfig` custom resource +[source,yaml] +---- +apiVersion: operator.tekton.dev/v1alpha1 +kind: TektonConfig +metadata: + name: config +spec: + params: + - name: createRbacResource + value: "false" + profile: all + targetNamespace: openshift-pipelines + addon: + params: + - name: clusterTasks + value: "true" + - name: pipelineTemplates + value: "true" +... +---- + +[WARNING] +==== +When you disable automatic creation of the RBAC resources on all namespaces, the default `ClusterTask` resource does not work. For the `ClusterTask` resource to function, cluster administrators or users with appropriate privileges must create the RBAC resources manually for each intended namespace. +==== + From 0963206a8a941a844f1aa927790f97f0ced5ef00 Mon Sep 17 00:00:00 2001 From: Souvik Sarkar Date: Wed, 23 Feb 2022 17:19:04 +0530 Subject: [PATCH 3/7] trivial edits --- cicd/pipelines/installing-pipelines.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cicd/pipelines/installing-pipelines.adoc b/cicd/pipelines/installing-pipelines.adoc index bd24eb968ac0..5f6de090dab9 100644 --- a/cicd/pipelines/installing-pipelines.adoc +++ b/cicd/pipelines/installing-pipelines.adoc @@ -36,7 +36,7 @@ include::modules/op-installing-pipelines-operator-using-the-cli.adoc[leveloffset include::modules/op-pipelines-operator-in-restricted-environment.adoc[leveloffset=+1] -// Disabling the default `pipeline` service account +// Disabling automatic creation of RBAC resources include::modules/op-disabling-automatic-creation-of-rbac-resources.adoc[leveloffset=+1] From e3389eac2ff30eec153f36a39b680df253e077d3 Mon Sep 17 00:00:00 2001 From: Souvik Sarkar Date: Tue, 1 Mar 2022 15:42:50 +0530 Subject: [PATCH 4/7] Incorporated SME review comments --- modules/op-disabling-automatic-creation-of-rbac-resources.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/op-disabling-automatic-creation-of-rbac-resources.adoc b/modules/op-disabling-automatic-creation-of-rbac-resources.adoc index 648f2fea5e94..50798788757b 100644 --- a/modules/op-disabling-automatic-creation-of-rbac-resources.adoc +++ b/modules/op-disabling-automatic-creation-of-rbac-resources.adoc @@ -4,7 +4,7 @@ [id="op-disabling-automatic-creation-of-rbac-resources_{context}"] = Disabling the automatic creation of RBAC resources -After default installation, the {pipelines-title} Operator creates multiple Role Based Access Control (RBAC) resources for all namespaces in the cluster. Among them, the `pipelines-scc-rolebinding` SCC role binding resource is a potential security issue, because the associated `pipelines-scc` Security Context Constraint has `RunAsAny` privilege. +The default installation of the {pipelines-title} Operator creates multiple Role Based Access Control (RBAC) resources for all namespaces in the cluster, except the namespaces matching the `^(openshift|kube)-*` regular expression pattern. Among these RBAC resources, the `pipelines-scc-rolebinding` SCC role binding resource is a potential security issue, because the associated `pipelines-scc` Security Context Constraint has `RunAsAny` privilege. To disable the automatic creation of cluster-wide RBAC resources after the {pipelines-title} Operator is installed, cluster administrators can set the `createRbacResource` parameter to `false` in the cluster level `TektonConfig` custom resource. From 4aea3eb6a1e5eb27abb7988c097c5e5e9f5f9a85 Mon Sep 17 00:00:00 2001 From: Souvik Sarkar Date: Tue, 8 Mar 2022 15:46:33 +0530 Subject: [PATCH 5/7] Incorporated peer review comments --- cicd/pipelines/installing-pipelines.adoc | 1 + ...op-disabling-automatic-creation-of-rbac-resources.adoc | 8 +++++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/cicd/pipelines/installing-pipelines.adoc b/cicd/pipelines/installing-pipelines.adoc index 5f6de090dab9..1194d827efc0 100644 --- a/cicd/pipelines/installing-pipelines.adoc +++ b/cicd/pipelines/installing-pipelines.adoc @@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[] toc::[] +[role="_abstract"] This guide walks cluster administrators through the process of installing the {pipelines-title} Operator to an {product-title} cluster. // Prerequisites for installing OpenShift Operator diff --git a/modules/op-disabling-automatic-creation-of-rbac-resources.adoc b/modules/op-disabling-automatic-creation-of-rbac-resources.adoc index 50798788757b..44ebd22e1f5a 100644 --- a/modules/op-disabling-automatic-creation-of-rbac-resources.adoc +++ b/modules/op-disabling-automatic-creation-of-rbac-resources.adoc @@ -1,14 +1,16 @@ // Module included in the following assemblies: // // */openshift_pipelines/installing-pipelines.adoc +:_content-type: CONCEPT [id="op-disabling-automatic-creation-of-rbac-resources_{context}"] = Disabling the automatic creation of RBAC resources +[role="_abstract"] The default installation of the {pipelines-title} Operator creates multiple Role Based Access Control (RBAC) resources for all namespaces in the cluster, except the namespaces matching the `^(openshift|kube)-*` regular expression pattern. Among these RBAC resources, the `pipelines-scc-rolebinding` SCC role binding resource is a potential security issue, because the associated `pipelines-scc` Security Context Constraint has `RunAsAny` privilege. -To disable the automatic creation of cluster-wide RBAC resources after the {pipelines-title} Operator is installed, cluster administrators can set the `createRbacResource` parameter to `false` in the cluster level `TektonConfig` custom resource. +To disable the automatic creation of cluster-wide RBAC resources after the {pipelines-title} Operator is installed, cluster administrators can set the `createRbacResource` parameter to `false` in the cluster-level `TektonConfig` custom resource (CR). -.Example `TektonConfig` custom resource +.Example `TektonConfig` CR [source,yaml] ---- apiVersion: operator.tekton.dev/v1alpha1 @@ -32,6 +34,6 @@ spec: [WARNING] ==== -When you disable automatic creation of the RBAC resources on all namespaces, the default `ClusterTask` resource does not work. For the `ClusterTask` resource to function, cluster administrators or users with appropriate privileges must create the RBAC resources manually for each intended namespace. +As a cluster administrator or an user with appropriate privileges, when you disable the automatic creation of RBAC resources for all namespaces, the default `ClusterTask` resource does not work. For the `ClusterTask` resource to function, you must create the RBAC resources manually for each intended namespace. ==== From 626f2f7706962154467c4099d653979d455a8f5e Mon Sep 17 00:00:00 2001 From: Souvik Sarkar Date: Tue, 8 Mar 2022 15:55:28 +0530 Subject: [PATCH 6/7] incorporated missed comment --- modules/op-disabling-automatic-creation-of-rbac-resources.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/op-disabling-automatic-creation-of-rbac-resources.adoc b/modules/op-disabling-automatic-creation-of-rbac-resources.adoc index 44ebd22e1f5a..9c44158ef041 100644 --- a/modules/op-disabling-automatic-creation-of-rbac-resources.adoc +++ b/modules/op-disabling-automatic-creation-of-rbac-resources.adoc @@ -6,7 +6,7 @@ = Disabling the automatic creation of RBAC resources [role="_abstract"] -The default installation of the {pipelines-title} Operator creates multiple Role Based Access Control (RBAC) resources for all namespaces in the cluster, except the namespaces matching the `^(openshift|kube)-*` regular expression pattern. Among these RBAC resources, the `pipelines-scc-rolebinding` SCC role binding resource is a potential security issue, because the associated `pipelines-scc` Security Context Constraint has `RunAsAny` privilege. +The default installation of the {pipelines-title} Operator creates multiple role-based access control (RBAC) resources for all namespaces in the cluster, except the namespaces matching the `^(openshift|kube)-*` regular expression pattern. Among these RBAC resources, the `pipelines-scc-rolebinding` security context constraint (SCC) role binding resource is a potential security issue, because the associated `pipelines-scc` SCC has the `RunAsAny` privilege. To disable the automatic creation of cluster-wide RBAC resources after the {pipelines-title} Operator is installed, cluster administrators can set the `createRbacResource` parameter to `false` in the cluster-level `TektonConfig` custom resource (CR). From d630102475ed16859246d8d0f98c44eca300a6da Mon Sep 17 00:00:00 2001 From: Souvik Sarkar Date: Tue, 8 Mar 2022 18:14:20 +0530 Subject: [PATCH 7/7] nitpick --- cicd/pipelines/installing-pipelines.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cicd/pipelines/installing-pipelines.adoc b/cicd/pipelines/installing-pipelines.adoc index 1194d827efc0..4be479b4fe28 100644 --- a/cicd/pipelines/installing-pipelines.adoc +++ b/cicd/pipelines/installing-pipelines.adoc @@ -47,7 +47,7 @@ include::modules/op-disabling-automatic-creation-of-rbac-resources.adoc[leveloff * You can learn more about installing Operators on {product-title} in the xref:../../operators/admin/olm-adding-operators-to-cluster.adoc#olm-adding-operators-to-a-cluster[adding Operators to a cluster] section. -* For more information on using pipelines in a restricted environment see: +* For more information on using pipelines in a restricted environment, see: ** xref:../../cicd/pipelines/creating-applications-with-cicd-pipelines.html#op-mirroring-images-to-run-pipelines-in-restricted-environment_creating-applications-with-cicd-pipelines[Mirroring images to run pipelines in a restricted environment]