Open petersutter opened 1 year ago
Out of curiosity: Isn't the title somewhat misleading? The dashboard will always require permissions to read and write (cloud provider) secrets, but in that case (different than viewers), it's done with the end user token or what's the (current) state?
yes correct. We always use the users token to read / write cloud provider secrets, but to read the monitoring secret we take the dashboard user https://github.com/gardener/dashboard/blob/master/backend/lib/services/shoots.js#L317-L324 I have updated the title accordingly so that it is clear that I'm talking about the dashboard client.
What would you like to be added: The
get
secrets
permission of the dashboard client (which is "almost" as powerful as having the cluster-admin permission) is required for:https://github.com/gardener/dashboard/blob/79703af3a66ffbbd693d7aa941bf65ac7e3804a7/charts/gardener-dashboard/charts/application/templates/clusterrole.yaml#L63-L69
To get rid of the
get
secret
permission we need to solve1.76.0
Why is this needed: