diff --git a/cicd/pipelines/installing-pipelines.adoc b/cicd/pipelines/installing-pipelines.adoc index 38fdf03b6967..4be479b4fe28 100644 --- a/cicd/pipelines/installing-pipelines.adoc +++ b/cicd/pipelines/installing-pipelines.adoc @@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[] toc::[] +[role="_abstract"] This guide walks cluster administrators through the process of installing the {pipelines-title} Operator to an {product-title} cluster. // Prerequisites for installing OpenShift Operator @@ -36,13 +37,17 @@ include::modules/op-installing-pipelines-operator-using-the-cli.adoc[leveloffset include::modules/op-pipelines-operator-in-restricted-environment.adoc[leveloffset=+1] +// Disabling automatic creation of RBAC resources + +include::modules/op-disabling-automatic-creation-of-rbac-resources.adoc[leveloffset=+1] + [role="_additional-resources"] == Additional resources * You can learn more about installing Operators on {product-title} in the xref:../../operators/admin/olm-adding-operators-to-cluster.adoc#olm-adding-operators-to-a-cluster[adding Operators to a cluster] section. -* For more information on using pipelines in a restricted environment see: +* For more information on using pipelines in a restricted environment, see: ** xref:../../cicd/pipelines/creating-applications-with-cicd-pipelines.html#op-mirroring-images-to-run-pipelines-in-restricted-environment_creating-applications-with-cicd-pipelines[Mirroring images to run pipelines in a restricted environment] diff --git a/modules/op-disabling-automatic-creation-of-rbac-resources.adoc b/modules/op-disabling-automatic-creation-of-rbac-resources.adoc new file mode 100644 index 000000000000..9c44158ef041 --- /dev/null +++ b/modules/op-disabling-automatic-creation-of-rbac-resources.adoc @@ -0,0 +1,39 @@ +// Module included in the following assemblies: +// +// */openshift_pipelines/installing-pipelines.adoc +:_content-type: CONCEPT +[id="op-disabling-automatic-creation-of-rbac-resources_{context}"] += Disabling the automatic creation of RBAC resources + +[role="_abstract"] +The default installation of the {pipelines-title} Operator creates multiple role-based access control (RBAC) resources for all namespaces in the cluster, except the namespaces matching the `^(openshift|kube)-*` regular expression pattern. Among these RBAC resources, the `pipelines-scc-rolebinding` security context constraint (SCC) role binding resource is a potential security issue, because the associated `pipelines-scc` SCC has the `RunAsAny` privilege. + +To disable the automatic creation of cluster-wide RBAC resources after the {pipelines-title} Operator is installed, cluster administrators can set the `createRbacResource` parameter to `false` in the cluster-level `TektonConfig` custom resource (CR). + +.Example `TektonConfig` CR +[source,yaml] +---- +apiVersion: operator.tekton.dev/v1alpha1 +kind: TektonConfig +metadata: + name: config +spec: + params: + - name: createRbacResource + value: "false" + profile: all + targetNamespace: openshift-pipelines + addon: + params: + - name: clusterTasks + value: "true" + - name: pipelineTemplates + value: "true" +... +---- + +[WARNING] +==== +As a cluster administrator or an user with appropriate privileges, when you disable the automatic creation of RBAC resources for all namespaces, the default `ClusterTask` resource does not work. For the `ClusterTask` resource to function, you must create the RBAC resources manually for each intended namespace. +==== +