docs(security): note shared SA privilege on Jobs (OSPRH-32425 / FIND-…#77
Merged
pinikomarov merged 1 commit intoJul 13, 2026
Conversation
…013) All four Job specs use openshift-gitops-argocd-application-controller, the shared ArgoCD SA, which carries the full gitops-openstack ClusterRole. Each Job only needs a narrow slice of that privilege: - approve-installplan: get/list/patch installplans in openstack-operators - controlplane post-delete hook: delete openstackcontrolplanes in openstack - dataplane post-delete hook: delete openstackdataplaneservices in openstack - observability post-delete hook: delete CSVs in openshift-operators Add inline comments on each serviceAccountName field documenting the FIND-013 design recommendation: create a dedicated SA per Job with a minimal Role/ClusterRole and automountServiceAccountToken: true only on the Job pod spec. The approve-installplan Job is a CI/lab convenience for Manual installPlanApproval and will become unnecessary with OLM v2 (ClusterExtension API). The post-delete hooks are example patterns not intended for production use as-is. Addressed as informational: the excess privilege originates in FIND-001 (gitops-openstack ClusterRole scope); this finding tracks the least-privilege design recommendation for Job SAs. Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
cjeanner
approved these changes
Jul 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
…013)
All four Job specs use openshift-gitops-argocd-application-controller, the shared ArgoCD SA, which carries the full gitops-openstack ClusterRole. Each Job only needs a narrow slice of that privilege:
Add inline comments on each serviceAccountName field documenting the FIND-013 design recommendation: create a dedicated SA per Job with a minimal Role/ClusterRole and automountServiceAccountToken: true only on the Job pod spec.
The approve-installplan Job is a CI/lab convenience for Manual installPlanApproval and will become unnecessary with OLM v2 (ClusterExtension API). The post-delete hooks are example patterns not intended for production use as-is.
Addressed as informational: the excess privilege originates in FIND-001 (gitops-openstack ClusterRole scope); this finding tracks the least-privilege design recommendation for Job SAs.