bryanl
commented
5 years ago Would it be possible to create another user that has readonly permissions? Then you can configure them both in your kube config file and change contexts as needed.
Open jonmoter opened 5 years ago
bryanl
commented
5 years ago Would it be possible to create another user that has readonly permissions? Then you can configure them both in your kube config file and change contexts as needed.
jonmoter
commented
5 years ago I have a ClusterRoleBinding like this set up:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: readonly
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: view
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: readonlySo I can say kubectl --as readonly ... and all is good in the world.
But that user doesn't have have an entry in our OIDC identity provider; doesn't have a username/password, etc. There's no way to authenticate as the readonly user. And if I want to configure by kubeconfig file, I need to have some way of authenticating as that user.
I could create a system user, bind it to the view ClusterRole, steal its service account token, and put it into the kubeconfig file. That could work, but I'm not a huge fan of that pattern.
Consider this a low-priority feature request. If I find the time to hack up a PR to implement it myself, I'll take a stab at it.
As someone who administers kubernetes clusters, when I use
kubectlI have relatively high permissions. I have some aliases set up so I can executekubectl --as=${LIMITED_USER} ...to take advantage of user impersionation, and run most commands as a lower-privileged user.It would be nice to have a mechanism like that so I can run octant specifying a user that has readonly permissions, to be able to control which resources octant is able to access, for security reasons and peace of mind.
Maybe an env var like
OCTANT_IMPERSONATE_USER