Support for non-read-only deployments
rickchoi opened this issue · 2 comments
I've been looking for any ways to deploy Octant dashboard to K8s cluster, and happened to find this great project. Octant "was" read-only dashboard for quite some time but since v0.13 and v0.14, Octant seems to be providing resource editing and creation of resources, and I'm just curious about why this octant-dashboard-turnkey project is set to read-only mode by default. Would it be hard to make it support RW mode?
Hi!
The reason why this is read-only is simply to err on the safe side. Octant does not support authentication within the app yet - there's only one set of "credentials", the kubeconfig file.
When people use Octant on their machine, they have their own kubeconfig. So if somebody can delete pods, but not secrets, that will be enforced through their config and role(s). Also, any action they take could potentially be traced back to the user taking an action.
Octant as a dashboard means that users probably don't have access to a kube-config file. Otherwise they would execute Octant locally.
So just to be safe, this dashboard is deployed as a read-only dashboard in order to allow developers to view their deployment, etc. It was also discussed at some point to hide the secret by default.
However, if you want to give more permissions to your users, there's two way to doing so. You can use clusterRole.rules to completely replace the rules set (eg: giving all permissions) or clusterRole.additionalRules to add some specific rules (eg: delete a pod).
I hope this helps
That explains well! Thanks a lot!