thomastaylor312
commented
6 years ago This is one of the more important requirements for us in Helm 3. Stay tuned for an updated proposal for Helm 3 that takes this into account
Open simonferquel opened 6 years ago
thomastaylor312
commented
6 years ago This is one of the more important requirements for us in Helm 3. Stay tuned for an updated proposal for Helm 3 that takes this into account
StevenACoffman
commented
6 years ago It looks like this discussion might be happening over in kubernetes-helm/community, specifically for Security, is that the correct place to watch?
thomastaylor312
commented
6 years ago @simonferquel Yes, the new Helm 3 proposal is there
One particular aspect I find dangerous with Helm, is its security model: if you get credentials to connect to a Tiller instance, you are basically elevated to the same rights as Tiller' SA. With api-server aggregation, user identity can be recorded on POST/PUT/PATCH operations so that the controller can impersonate it (so the k8s resources are created under the user identity).