Merge pull request #40749 from sounix000/3304-default-pipeline-SA

Preeticp · web-flow · commit dac99ee70173 · 2022-03-14T20:56:57.000+05:30
RHDEVDOCS-3304 Document disabling the default pipelines SA
diff --git a/cicd/pipelines/installing-pipelines.adoc b/cicd/pipelines/installing-pipelines.adoc
@@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 This guide walks cluster administrators through the process of installing the {pipelines-title} Operator to an {product-title} cluster.
 
 // Prerequisites for installing OpenShift Operator
@@ -36,13 +37,17 @@ include::modules/op-installing-pipelines-operator-using-the-cli.adoc[leveloffset
 
 include::modules/op-pipelines-operator-in-restricted-environment.adoc[leveloffset=+1]
 
+// Disabling automatic creation of RBAC resources 
+
+include::modules/op-disabling-automatic-creation-of-rbac-resources.adoc[leveloffset=+1]
+
 
 [role="_additional-resources"]
 == Additional resources
 
 * You can learn more about installing Operators on {product-title} in the xref:../../operators/admin/olm-adding-operators-to-cluster.adoc#olm-adding-operators-to-a-cluster[adding Operators to a cluster] section.
 
-* For more information on using pipelines in a restricted environment see:
+* For more information on using pipelines in a restricted environment, see:
 
 ** xref:../../cicd/pipelines/creating-applications-with-cicd-pipelines.html#op-mirroring-images-to-run-pipelines-in-restricted-environment_creating-applications-with-cicd-pipelines[Mirroring images to run pipelines in a restricted environment]
 
diff --git a/modules/op-disabling-automatic-creation-of-rbac-resources.adoc b/modules/op-disabling-automatic-creation-of-rbac-resources.adoc
@@ -0,0 +1,39 @@
+// Module included in the following assemblies:
+//
+// */openshift_pipelines/installing-pipelines.adoc
+:_content-type: CONCEPT
+[id="op-disabling-automatic-creation-of-rbac-resources_{context}"]
+= Disabling the automatic creation of RBAC resources
+
+[role="_abstract"]
+The default installation of the {pipelines-title} Operator creates multiple role-based access control (RBAC) resources for all namespaces in the cluster, except the namespaces matching the `^(openshift|kube)-*` regular expression pattern. Among these RBAC resources, the `pipelines-scc-rolebinding` security context constraint (SCC) role binding resource is a potential security issue, because the associated `pipelines-scc` SCC has the `RunAsAny` privilege. 
+
+To disable the automatic creation of cluster-wide RBAC resources after the {pipelines-title} Operator is installed, cluster administrators can set the `createRbacResource` parameter to `false` in the cluster-level `TektonConfig` custom resource (CR).
+
+.Example `TektonConfig` CR
+[source,yaml]
+----
+apiVersion: operator.tekton.dev/v1alpha1
+kind: TektonConfig
+metadata:
+  name: config
+spec:
+  params:
+  - name: createRbacResource
+    value: "false"
+  profile: all
+  targetNamespace: openshift-pipelines
+  addon:
+    params:
+    - name: clusterTasks
+      value: "true"
+    - name: pipelineTemplates
+      value: "true"
+...
+----
+
+[WARNING]
+====
+As a cluster administrator or an user with appropriate privileges, when you disable the automatic creation of RBAC resources for all namespaces, the default `ClusterTask` resource does not work. For the `ClusterTask` resource to function, you must create the RBAC resources manually for each intended namespace.
+====
+
