-
Notifications
You must be signed in to change notification settings - Fork 11
Open
Description
If you can read a given cluster[1], you can get a cluster-admin kubeconfig for it. This makes it difficult to assign appropriate permissions -- generally you want to give a broad group of people the ability to see the particulars of clusters, but you don't want to give them admin access to the actual cluster.
I propose adding a new permission for accessing the kubeconfig for a cluster, which can be assigned to admin-level roles and left out of read-only roles[2].
[1]: https://github.com/nscaledev/uni-kubernetes/blob/main/pkg/server/handler/handler.go#L349 and https://github.com/nscaledev/uni-kubernetes/blob/main/pkg/server/handler/handler.go#L451
[2]: https://github.com/nscaledev/uni-identity/blob/main/charts/identity/values.yaml#L139
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels