You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In some scenarios - specifically using cm in ci-like scenarios including Tekton tasks - the acting user may not have permissions to create a ServiceAccount, or you may not want a ServiceAccount to be created for a one-time-use task like ci - leaking a large number of ServiceAccounts.
I would propose that we add a function to cm create cph that allows you to specify --service-account=<service-account> that queries the token for that ServiceAccount and uses it for the CPH as opposed to creating a new one.
The text was updated successfully, but these errors were encountered:
In order to serve CI use-cases - we also need to eliminate the need for a pre-existing RBAC group - we should just take in a bare service account that the user has already created (probably explicitly for CI) and use that. That way multiple jobs that lack the shared known-cphs and related contexts can still reuse the same service account.
Specifically I'm thinking - if --service-account is specified, we need to drop the requirement for --group and use --namespace only for finding the ServiceAccount we were given.
Summary of Issue
In some scenarios - specifically using
cm
in ci-like scenarios including Tekton tasks - the acting user may not have permissions to create a ServiceAccount, or you may not want a ServiceAccount to be created for a one-time-use task like ci - leaking a large number of ServiceAccounts.I would propose that we add a function to
cm create cph
that allows you to specify--service-account=<service-account>
that queries the token for that ServiceAccount and uses it for the CPH as opposed to creating a new one.The text was updated successfully, but these errors were encountered: