Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Action] Create kubeconfig with read-only scope #18

Closed
nikimanoledaki opened this issue Jan 9, 2024 · 4 comments · Fixed by #23
Closed

[Action] Create kubeconfig with read-only scope #18

nikimanoledaki opened this issue Jan 9, 2024 · 4 comments · Fixed by #23
Assignees
@dipankardas011
Labels
area/access board/wg-green-reviews good first issue Good for newcomers priority/important-soon
Milestone
[Q1 24] Measure t...

Comments

@nikimanoledaki
Copy link
Contributor

nikimanoledaki commented Jan 9, 2024
edited
Loading

We need to give individual contributors read-only access to the cluster.

This can be done by creating a Role with “get”, ”watch”, ”list” permissions, create a ServiceAccount, then generate a kubeconfig for this.

The resources should be limited to Pods to begin with.

See here for a tutorial/example of how to do this.
@nikimanoledaki nikimanoledaki changed the title Grant cluster access through scoped kubeconfig [Action] Create kubeconfig with read-only scope Jan 9, 2024
@AntonioDiTuri AntonioDiTuri mentioned this issue Jan 9, 2024
Closed
@nikimanoledaki nikimanoledaki mentioned this issue Jan 10, 2024
Closed
@dipankardas011
Copy link
Contributor

Questions

  • Should this be automated process or done once manually?
  • Also should we use clusterRole or namespaced scoped role?

@dipankardas011
Copy link
Contributor

I can work on this
@nikimanoledaki

@nikimanoledaki
Copy link
Contributor Author

nikimanoledaki commented Jan 11, 2024
edited
Loading

Wonderful, thank you @dipankardas011!

Should this be automated process or done once manually?

We can start with one-time manually to unblock contributors. It would then be great if you could suggest a process to automate this as part of this issue as well since clusters will be ephemeral :)

Also should we use clusterRole or namespaced scoped role?

I think it's ok to have a cluster-wide access with clusterRole as long as it's read/list/watch only 👍

@nikimanoledaki nikimanoledaki removed the help wanted Extra attention is needed label Jan 11, 2024
@dipankardas011
Copy link
Contributor

dipankardas011 commented Jan 11, 2024
edited
Loading

Also @nikimanoledaki can I assume we have the kubeconfig in some file or as a string type in any programmnig language?

I was thinking of using golang to use the kubernetes-go client to create those

but first I will try it out via manual process

@dipankardas011 dipankardas011 mentioned this issue Jan 12, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dipankardas011 dipankardas011

Labels
area/access board/wg-green-reviews good first issue Good for newcomers priority/important-soon
Projects
None yet
Milestone
[Q1 24] Measure the cloud native sust...
Development

Successfully merging a pull request may close this issue.

Script to generate readonly kubeconfig
2 participants
@nikimanoledaki @dipankardas011