You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, Onyxia-api do everything (both kubectl and helm) using a single service account that is supposed to be cluster-admin.
Here are some improvements we could make :
Every regular kubectl and helm calls should be made using user's permissions
Onboarding (creating user's namespace, applying permissions ...) should be done using a separate service account and preferably done in another process / pod (externalize the onboarding process as a standalone API ?)
Try to reduce or at least refine and explicit permissions needed for the onboarding feature. Currently, it defaults to creating a cluster-admin service account which is probably too much
The text was updated successfully, but these errors were encountered:
Currently,
Onyxia-api
do everything (bothkubectl
andhelm
) using a single service account that is supposed to be cluster-admin.Here are some improvements we could make :
kubectl
andhelm
calls should be made using user's permissionsThe text was updated successfully, but these errors were encountered: