Better handling of pre-existing service accounts by the rbac-manager operator

[chaitanyakolluru]

We have few service accounts that are created outside of our rbacDefinitions and the rbac-manager operator logs show attempts to create each service account whenever it tries to reconcile service accounts on the cluster. Outside of adding label rbac-manager=reactiveops to those pre-existing service accounts there isn't a way for us to prevent rbac-manager from trying to create those service accounts.

I believe there should be a new label that rbac-manager looks for so we can manage service accounts we don't want rbac-manager trying to create upon reconciliation.

One option is to add the label to our pre-existing service accounts, but not sure if that brings in unforeseen issues.

Logs for rbac-manager show repeated error logs attempting to create service account created outside of rbacDefinitions.

[sudermanjr]

Thanks! We definitely need to reconsider some of the service account management in general. Probably at the same time we can address #137

[eryalito]

Hey! I want to bump this up with an idea I got from this comment: #137 (comment)

Would you consider accepting a feature to avoid creating (or trying to create) SAs with a specific field on each SA definition? (With default value to create the serviceaccount to preserve backwards compatibility)
So a RBD example that DO NOT create/sync the SA would look like:

apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
  name: robot-rbac
rbacBindings:
  - name: robot-ci
    subjects:
      - kind: ServiceAccount
        namespace: app
        name: robot
        createServiceAccount: false
    roleBindings:
      - clusterRole: edit
        namespace: app

So when createServiceAccount is defined and set to false rbac-manager wouldn't create or sync the SA -also if imagePullsSecrets are defined they won't be created-.

I'm not sure about the name of it would be better to be defined at RBD level and applied to all of the SAs. What are your thoughts on this?

[posquit0]

@sudermanjr I need the same feature! +1

[EricPE69]

We are interesting by this feature

[pawcykca]

+1