Controlling Service Account roles when using the Kubernetes and Kubernetes Client extension

[bpasson]

Description

It currently is impossible to disable the service account generation when using the Kubernetes en Kubernetes Client extension in a project. It gererates a service account and a rolebinding linked to view role. Sometimes this is not strict enough. It is possible to work around using Kustomize, but this way using the deployment feature of the Kubernetes extension is impossible.

Being able to disable the Service Account generation will solve this, but that is not optimal as a Service Account and RoleBinding would have to be applied outside of the extension control.

An other option might be to specify a role to bind to in stead of view. The role could either be provided using the kubernetes.yml in the source tree or be provided or it would need to be present on deployment already. Any check on the existence of the role should be configurable.

[quarkus-bot]

/cc @geoand

[geoand]

We could likely have a config property that controls this behavor, WDYT @iocanel ?

[iocanel]

In theory people could specify the rbac configuration in src/main/kubernetes and make it as strict as they need to.

Haven't tried it though...

Now I can see a feature flag to disable the generation of rbac resources. Also we could point to an existing Role binding or even control the privileges. These are all valid approaches.

[bpasson]

@iocanel specifying the rbac configuration src/main/kubernetes does add them to the generated descriptors, but if the name is not the same as would be generated it is just added and the *-view rolebinding is still generated. A bit more control over how it all is generated seems a good idea to me.