Merge pull request #50974 from sjhala-ccs/BZ2107507

sjhala-ccs · web-flow · commit 658292b74853 · 2022-11-03T15:11:15.000-04:00
BZ2107507: Added note about checkup permissions
diff --git a/modules/virt-about-cluster-checkup-framework.adoc b/modules/virt-about-cluster-checkup-framework.adoc
@@ -10,4 +10,13 @@ A _checkup_ is an automated test workload that allows you to verify if a specifi
 
 By using predefined checkups, cluster administrators can improve cluster maintainability, troubleshoot unexpected behavior, minimize errors, and save time. They can also review the results of the checkup and share them with experts for further analysis. Vendors can write and publish checkups for features or services that they provide and verify that their customer environments are configured correctly.
 
-Running a predefined checkup in the cluster involves setting up the namespace and service account for the framework, creating the `ClusterRole` and `ClusterRoleBinding` objects for the service account, enabling permissions for the checkup, and creating the input config map and the checkup job. You can run a checkup multiple times. 
+Running a predefined checkup in the cluster involves setting up the namespace and service account for the framework, creating the `ClusterRole` and `ClusterRoleBinding` objects for the service account, enabling permissions for the checkup, and creating the input config map and the checkup job. You can run a checkup multiple times.
+
+[IMPORTANT]
+====
+You must always:
+
+* Verify that the checkup image is from a trustworthy source before applying it.
+* Review the checkup permissions before creating the `ClusterRole` and `Role` objects.
+* Verify the name of the `ServiceAccount` in the config map. This is because the framework automatically binds these permissions to the checkup instance.
+====
