illume
commented
3 weeks ago Hi,
thanks for writing.
I wonder about this, as it does seem like a use case that people will run into.
It could perhaps be an alternative to having to set up something more complicated.
Such a service could of course be deployed separately to Headlamp. I wonder if there's however some gain to integrating support to this inside headlamp itself or a plugin for headlamp? Perhaps a UI could be present if this "Create service token service" is enabled.
A simple password would in effect be making a non expiring token. Because the password would never expire and would allow creating a new token at any time. And since the password and a long expiring token are almost equivalent, I wonder about making a longer expiry token instead?
@yolossn what do you think?
In my use case, I deployed a readonly headlamp, when I need to inspect my cluster, I have to execute
kubectl create token myapp --duration 1h;What if add a api to generator a token by headlamp backend server, use it's pod's in-cluster service account.
The risks associated with the API interface are borne by the person deploying the service. The interface can be enabled or disabled via a parameter switch, and it can be protected with a simple password.