Closed dsimansk closed 7 years ago
jimmidyson
commented
7 years ago @iocanel This is something coming from Spring Cloud Kubernetes. I'm not sure we need a service account for the REST API as we're going to be using the user's OAuth token to manage resources on their behalf. Thoughts?
iocanel
commented
7 years ago Yes, its comming from s.c.k. When it bootstraps it checks if its running inside kubernetes (it checks for the /var/run/secrets/kubernetes.io/serviceaccount/ca.crt and then if there is a matching pod with hostname).
We could possibly relax this check, but I think that the easiest thing to do is to use a service account. After all sooner or later we are going to need one.
jimmidyson
commented
7 years ago OK
jimmidyson
commented
7 years ago I think we should revisit the requirement in future as I'm not sure the REST API at least should ever need a service account that can access the REST API but for now let's add it in.
dsimansk
commented
7 years ago Afaik from my experience wit SB Kubernetes, it needs at least view role to query for ConfigMaps, etc. I agree, there might be some future obstacles as you need to fiddle with roles a bit to get it working correctly.
iocanel
commented
7 years ago @jimmidyson: ok, if you strongly feel that the rest api should never need a service account, let's remove s.c.k now or else it will be much harder to do later.
If we have a really good reason to do use s.c.k, we can bring it back later.
jimmidyson
commented
7 years ago @iocanel I don't feel that strongly about it. We need to merge fabric8io/kubernetes-client#659 and get a s.c.k. release out with a new kube client release included.
jimmidyson
commented
7 years ago Fixed in 4f7b208088a6e0829470cdf2009cc42050419172.
When template resources are deployed to OCP cluster. There's an error in ipaas-rest pod log about missing SA to access master API.
We should define the SA in template and description to readme probably. If the access is really required.