Skip to content

docs(security): note shared SA privilege on Jobs (OSPRH-32425 / FIND-…#77

Merged
pinikomarov merged 1 commit into
openstack-k8s-operators:mainfrom
pinikomarov:glasswing/find-013-sa-note
Jul 13, 2026
Merged

docs(security): note shared SA privilege on Jobs (OSPRH-32425 / FIND-…#77
pinikomarov merged 1 commit into
openstack-k8s-operators:mainfrom
pinikomarov:glasswing/find-013-sa-note

Conversation

@pinikomarov

Copy link
Copy Markdown
Contributor

…013)

All four Job specs use openshift-gitops-argocd-application-controller, the shared ArgoCD SA, which carries the full gitops-openstack ClusterRole. Each Job only needs a narrow slice of that privilege:

  • approve-installplan: get/list/patch installplans in openstack-operators
  • controlplane post-delete hook: delete openstackcontrolplanes in openstack
  • dataplane post-delete hook: delete openstackdataplaneservices in openstack
  • observability post-delete hook: delete CSVs in openshift-operators

Add inline comments on each serviceAccountName field documenting the FIND-013 design recommendation: create a dedicated SA per Job with a minimal Role/ClusterRole and automountServiceAccountToken: true only on the Job pod spec.

The approve-installplan Job is a CI/lab convenience for Manual installPlanApproval and will become unnecessary with OLM v2 (ClusterExtension API). The post-delete hooks are example patterns not intended for production use as-is.

Addressed as informational: the excess privilege originates in FIND-001 (gitops-openstack ClusterRole scope); this finding tracks the least-privilege design recommendation for Job SAs.

…013)

All four Job specs use openshift-gitops-argocd-application-controller,
the shared ArgoCD SA, which carries the full gitops-openstack ClusterRole.
Each Job only needs a narrow slice of that privilege:

  - approve-installplan: get/list/patch installplans in openstack-operators
  - controlplane post-delete hook: delete openstackcontrolplanes in openstack
  - dataplane post-delete hook: delete openstackdataplaneservices in openstack
  - observability post-delete hook: delete CSVs in openshift-operators

Add inline comments on each serviceAccountName field documenting the
FIND-013 design recommendation: create a dedicated SA per Job with a
minimal Role/ClusterRole and automountServiceAccountToken: true only on
the Job pod spec.

The approve-installplan Job is a CI/lab convenience for Manual
installPlanApproval and will become unnecessary with OLM v2
(ClusterExtension API). The post-delete hooks are example patterns
not intended for production use as-is.

Addressed as informational: the excess privilege originates in FIND-001
(gitops-openstack ClusterRole scope); this finding tracks the
least-privilege design recommendation for Job SAs.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@pinikomarov pinikomarov requested a review from cjeanner July 12, 2026 07:32
@pinikomarov pinikomarov self-assigned this Jul 12, 2026
@pinikomarov pinikomarov merged commit 574fa97 into openstack-k8s-operators:main Jul 13, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants