cloudpak-gitops icon indicating copy to clipboard operation
cloudpak-gitops copied to clipboard
verified publisher icon IBM

Remove dependency on cluster-admin role

Open nastacio opened this issue 3 years ago • 1 comments

Describe the bug Many of the Cloud Paks installations have dependencies on having the cluster-admin role assigned to the user performing the installation. This is often unnecessary and a problem for many installations, where security policy require minimum privilege assigned to all roles.

To Reproduce N/A, stated in the installation section of product documentation:

Expected behavior Remove the assignment of cluster-admin roles to the ArgoCD openshift-gitops-argocd-application-controller service account and replace it with the creation of new Role (or ClusterRole) with the minimum set of privileges required to install the product.

Screenshots If applicable, add screenshots to help explain your problem.

Additional context Add any other context about the problem here.

nastacio avatar Mar 28 '22 12:03 nastacio

CP4BA and CP4D have since introduced support for this type of installation, where the cluster admin can authorize a service account with narrower privileges, dedicated to the sole purpose of installing the Pak.

nastacio avatar Nov 16 '23 20:11 nastacio