Scope: How to configure KOBIL Shift deployment to use predefined ServiceAccounts (SA). This allows to run the KOBIL Shift deployment without cluster-admin permission.

Background here is, that the KOBIL Shift deployment by default expects to run in context of a ServiceAccount which is granted to kubernetes cluster admin rights and therefore all required resources and objects could be created. In case from security concerns this could be limited.

Prepare non-cluster-admin service account to deploy Shift operator

Prerequisites

• Service account ci-user in namespace service-accounts with cluster role binding to default cluster role admin. E.g.

  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: ci-user
    namespace: service-accounts
  ---
  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: ci-user-admin
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: admin
  subjects:
  - kind: ServiceAccount
    name: ci-user
    namespace: service-accounts

• Namespace shift for the Shift operator deployment.

Extend ci-user's permissions

The following steps must be performed by a cluster admin.

• Create Cluster role ks-shift-operator containing additional permissions required by Shift Operator (KOBIL can provide more specific role declaration in detail when required):

  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRole
  metadata:
    name: ks-shift-operator
  rules:
    - apiGroups:
        - shift.kobil.com
      resources:
        - '*'
      verbs:
        - create
        - delete
        - get
        - list
        - patch
        - update
        - watch

• Create cluster role binding that binds service account ci-user to cluster role ks-shift-operator:

  apiVersion: rbac.authorization.k8s.io/v1
  kind: ClusterRoleBinding
  metadata:
    name: ci-user-ks-shift-operator
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: ks-shift-operator
  subjects:
  - kind: ServiceAccount
    name: ci-user
    namespace: service-accounts

Create the shift-operator service account and required role bindings

The following steps can be performed by the ci-user.

• Create service account shift-operator in namespace shift.

  apiVersion: v1
  kind: ServiceAccount
  metadata:
    name: shift-operator
    namespace: shift

• Create role binding in namespace shift that binds service account shift-operator to default cluster role admin.

  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: shift-operator-admin
    namespace: shift
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: admin
  subjects:
  - kind: ServiceAccount
    name: shift-operator
    namespace: shift

• Create role binding in namespace shift that binds service account shift-operator to cluster role ks-shift-operator.

  apiVersion: rbac.authorization.k8s.io/v1
  kind: RoleBinding
  metadata:
    name: shift-operator-ks-shift-operator
    namespace: shift
  roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: ks-shift-operator
  subjects:
  - kind: ServiceAccount
    name: shift-operator
    namespace: shift

Shift Operator helm chart metaconfiguration / values.yaml

Use the following configuration when deploying Shift operator helm chart to make sure the service account shift-operator prepared in the previous step is used:

pod:
  serviceAccount:
    create: false
    name: "shift-operator"
rbac:
  create: false

Update Shift helm chart metaconfiguration / values.yaml

Use the following configuration when deploying Shift helm chart to make sure the service account/SA shift-service prepared in the namespace is used:
NOTE: This update have to be put into any service section in the Shift helm chart each

<service-name-section>:
  valuesOverride:
    pod:
      serviceAccount:
        create: false
        name: "shift-service"
        createRbac: false