Authentication
anton-johansson opened this issue · comments
How does authentication work for this? It looks like Helm Wrapper is configured with a Kubeconfig. But that means that anyone that have access to the HTTP service can deploy whatever that Kubeconfig have access to.
Could it be an idea to provide a ServiceAccount
somehow (via its token/Secret
) and use that when deploying the Helm chart?
Now helm-wrapper really doesn't have auth, i can add a basic auth.
Allright! I wasn't thinking of a generic basic auth that can be used. It would be great if I could configure a ServiceAccount
that have full permission in namespace abc123
. And then use the token for that ServiceAccount
somehow, maybe through the POST
body:
{
"serviceAccountToken": "xyz"
}
... or just a query parameter ?serviceAccountToken=xyz
, if you prefer having the POST
body only "real" Helm options.
I'm not sure if this is technically possible though, but it feels like it should be possible. The kubeconfig
can accept users using service account tokens, as far as I know:
users:
- name: my-service-account
user:
token: xyz
The reason that I want this is that I can limit each individual access to individual namespaces, and get much more fine grained access control.
Looks good. helm-wrapper supports multiple clusters, how does it support multiple clusters using ServiceAccount authentication?
The kubeconfig
can have multiple clusters and multiple users, and those are connected via contexts. And Helm Wrapper already seems to have support for passing in kube_context
(which I'm assuming is this kind of context).
The tricky part I guess would be to build up the kubeconfig
dynamically, per request. Since I only want the clusters in my kubeconfig
and not the actual users.
yes, when use ServiceAccount
, i have no idea about it, how support multiple clusters