helm
authentication base on tiller service account
Right now the only way to specify a service account is by the configmap definition. Would be nice if you could login on the webpage using service account token (like kubernetes dashboard) or even just dynamically specify which service account it should use for tiller. This way you can leave authentication on kubernetes RBAC.
Currently we have on tiller pod per team with each team service account (so they can only do stuff in their namespace). Is possible to use this same mechanism to authenticate on the web ui?
So your cluster users each have their own namespace, and the tiller running inside that namespace has a service account that only allows it create resources within the namespace. It sounds like what you want is to be able to switch the tiller you're talking to. A user could login with their token, and we could use that to control which tiller the user is allowed to talk to.
It's a good idea and I will think about this more.
Yes that's exactly what I mean. That's the current approach we use, we just leave authorization to kubernetes using RBAC. Is what helm documentation recommends.
Let me know if I can help.
User A has access to A's namespace items, when we open monocular, we'd like to see a login prompt for user token, if we use user A's token, we should be able to login and see deployed helm items in user A's namespace. Is this type of auth doable?
