We are trying to reduce the rights given to the ServiceAccount used by Onyxia, down from cluster-admin to... something.
In order to better understand this possible target could be, this PR adds a parameter to use a pre-existing ClusterRole as a replacement for cluster-admin hard-coded in the chart.
As of the initial commit, this is made in a minimalistic way, with a notable drawback : we keep the existing clusterAdmin parameter (which determines whether we use a Role or ClusterRole) as is. Given the aim of this PR, you might prefer a more drastic change, say renaming the clusterAdmin parameter to something else, to prevent possible confusion.
If need be, I'll add more commits to this effect if this is deemed useful. Of course, I'm also fine with direct merging as is. 😄
We are trying to reduce the rights given to the ServiceAccount used by Onyxia, down from
cluster-adminto... something.In order to better understand this possible target could be, this PR adds a parameter to use a pre-existing ClusterRole as a replacement for
cluster-adminhard-coded in the chart.As of the initial commit, this is made in a minimalistic way, with a notable drawback : we keep the existing
clusterAdminparameter (which determines whether we use a Role or ClusterRole) as is. Given the aim of this PR, you might prefer a more drastic change, say renaming theclusterAdminparameter to something else, to prevent possible confusion.If need be, I'll add more commits to this effect if this is deemed useful. Of course, I'm also fine with direct merging as is. 😄