Adding possibility to configure multiple service accounts for different tasks #902
Conversation
googlebot
added
the
cla: yes
tekton-robot
added
size/L
|
/ok-to-test |
tekton-robot
removed
the
needs-ok-to-test
Gopkg.lock
Outdated
| @@ -22,7 +22,7 @@ | |||
| version = "v0.2.0" | |||
|
|
|||
| [[projects]] | |||
| digest = "1:355d491068cd888a3725d68cd09681a49251d6d8e3cb49120bf6b83a86c7ee0f" | |||
| digest = "1:c7ec3a8daf56c9d7c4bb36f498f6db3f8c339b1142300dcd4328950574f91c6f" | |||
There was a problem hiding this comment.
Was updating this file intentional?
There was a problem hiding this comment.
This file was updated by hack/update-deps.sh (dep ensure). First version of PR didn't have that change and failed on integration test(please see Prow history).
|
/assign @dlorenc |
|
In general this makes sense to me, but given it's an API change we should probably have another reviewer look. My reasoning for why this would make sense:
|
|
cc @bobcatfish @imjasonh to give the second sign off for an API review |
|
Same as @dlorenc, make sense to me ; mainly though of the first point, aka least-privilege 👼 |
|
Thanks for including the docs in the PR @cezkuj and welcome to the project!!! ❤️
I agree in general with being able to specify service accounts at the level of the Tasks within a Pipeline (and possibly also at the level of the PipelineResources, but that's another story :D). However I don't think we should put this in the We could have a section for config specific to each kind: PipelineRun
...
spec:
pipelineRef:
name: demo-pipeline
serviceAccount: 'default'
tasks:
...
- name: source-repo
serviceAccount: my-special-service-accountOr we could have a serviceAccount section: kind: PipelineRun
...
spec:
pipelineRef:
name: demo-pipeline
serviceAccount: 'default'
serviceAccounts:
...
- taskName: source-repo
serviceAccount: my-special-service-accountWhat do you think @vdemeester @dlorenc @imjasonh ? |
|
/hold |
tekton-robot
added
the
do-not-merge/hold
|
(Adding this to the WG agenda tomorrow in case folks want to discuss in person) |
|
oh yeah, definitely on |
Hm i don't think so - I'm not sure if that would work with our current design 🤔 The only difference b/w the two examples is whether the top level thing is called |
|
Hmm, I see some reasoning behind moving it to |
|
Didn't end up having time to discuss in the WG - I think go ahead with the |
|
Updated PR with |
There was a problem hiding this comment.
Looking great @cezkuj !! Thanks for your patience getting this reviewed 🙏
Since this changes the interface (#906), @vdemeester @dlorenc @imjasonh what do you think of this interface in PipelineRuns for specifying service accounts per task:
spec:
serviceAccount: sa-1
serviceAccounts:
- taskName: build-task
serviceAccount: sa-for-build
| serviceAccounts: | ||
| - taskName: build-task | ||
| serviceAccount: sa-for-build | ||
| ``` |
There was a problem hiding this comment.
this interface looks great! 👍
docs/pipelineruns.md
Outdated
| @@ -94,6 +94,15 @@ that is in the | |||
| [namespace](https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/) | |||
| of the `TaskRun` resource object. | |||
|
|
|||
| There is also possibility to configure service account for concrete `Task`, overriding `ServiceAccount` set in `PipelineRun`, for example: | |||
There was a problem hiding this comment.
i think it would be good to be clear that the taskName below is the name of the task within the Pipeline, vs. the Task crd.
maybe you could just add a bit more to the example, e.g. something like:
For example with this serviceAccount configuration:
spec:
serviceAccount: sa-1
serviceAccounts:
- taskName: build-task
serviceAccount: sa-for-buildIf used with this Pipeline, test-task will use the ServiceAccount sa-1, while build-task will use sa-for-build.
kind: Pipeline
spec:
tasks:
- name: build-task
taskRef:
name: build-push
tasks:
- name: test-task
taskRef:
name: testThere was a problem hiding this comment.
Hmm, TBH, as far as I see I've implemented it to refer to Task crd. Now it seems less obvious to me why I'd go this way (plus it seems obvious for you to go with referring PipelineTask ). I'll change that and update docs as you've mentioned. Thanks for review!:)
There was a problem hiding this comment.
Changed to PipelineTask way and extended docs. Please take a look once again. :)
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cezkuj, dibyom, vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
tekton-robot
added
the
approved
…nt tasks The pipeline specification allows multiple different service accounts for tasks so that different task can use the right service account. E.g. build task may need different privileges than deploy task Fixes - #777
|
/retest |
There was a problem hiding this comment.
Looks great, thanks @cezkuj !!! 🙏
/hold cancel
/lgtm
/meow space
| tasks: | ||
| - name: test-task | ||
| taskRef: | ||
| name: test |
There was a problem hiding this comment.
👍 thanks for adding this!
|
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
tekton-robot
added
lgtm
Changes
The pipeline specification allows multiple different service accounts for tasks so that different task can use the right service account.
E.g. build task may need different privileges than deploy task
Fixes
Submitter Checklist
These are the criteria that every PR should meet, please check them off as you
review them:
See the contribution guide
for more details.
Release Notes