UNCLASSIFIED - NO CUI

Skip to content

No ServiceAccount option available for gluon script jobs

Overview

While the cypress half of gluon's testing functionality provides a cypress-specific ServiceAccount in _cypressutils.yaml and then uses it in _cypressrunner.yaml there is not currently a matching ServiceAccount option for the scripts/tests/* jobs. The _scriptrunner.yaml does not specify a serviceAccountName in its Pod spec and so there's nowhere to hang custom permissions for our test scripts.

I think we might want to add one.

Why is this a problem?

If a shell-script-based package test needs to interact with the Kubernetes API then our implementation necessarily has to lean on pre-existing or built-in service accounts, such as system:serviceaccount:gitlab:default as in gitlab!295 (merged). This means that we are incidentally adjusting the permission scope of an account which was created for another purpose altogether. That could lead to bugs or unintended security holes.

Proposal

Duplicate the service account functionality from the cypress side of gluon over to the script side of gluon:

  • add a ServiceAccount, Role, and RoleBinding for gluon's script tests similar to those in _cypressutils.yaml
  • use that new ServiceAccount from within the Pod spec in _scriptrunner.yaml
Edited by Daniel Pritchett