Helm Dashboard Service Account Permissions
andriktr opened this issue · 5 comments
Description
Hello,
We trying to run helm-dashboard as a deployment in our k8s cluster everything seems working as expected. However we would like to limit the access for helm-dashboard sa to get the charts only from specific namespaces. To achieve this we are creating role and role bindings (for helm-dashboard sa) in each namespace which should be visible in UI and we commented out cluster role and binding creation in original helm chart serviceaccount.yaml template. However this approach doesn't work as it still wants to have cluster wide secret list permissions. If we grant secret list cluster wide permissions all helm charts from all ns's become visible in UI. Wouldn't it be more correct what if helm-dashboard acc has access to a specific namespace where helm chart is installed this chart then should be visible in dashboard UI even without cluster wide secret list access. This way we can limit access for users to view only non-system applications. In other case having cluster wide secret list access will allow every one to view any manifest installed by helm as all the data are kept in the helm secrets this is not very secure.
Any ways to fix this?
Thank in advance
Screenshots
Additional information
No response
Just configure helm-dashboard to work with specific namespace list, should work for you. It is mentioned in README:
If you need to limit the operations to a specific namespace, please use --namespace=... in your command-line. You can specify multiple namespaces, separated by commas.
Just configure helm-dashboard to work with specific namespace list, should work for you. It is mentioned in README:
If you need to limit the operations to a specific namespace, please use --namespace=... in your command-line. You can specify multiple namespaces, separated by commas.
Yes and no. Such approach requires constantly change the args by adding new namespaces to it. In our case new namespaces might be created every hour or even more friquently. It would work if it would be possible to select required namespaces by label for example.
We use Helm's code under the hood, this is how it works. It either queries cluster-wide helm chart list, or explicitly specified namespaces.
I can tell in addition that Komodor's commercial platform has the same functionality, but with enterprise RBAC features. Works there because Helm's code is not used :)
Have found a workaround by writing simple python app which runs in a separate deployment watches namespaces based on specific label(-s) and if needed patches helm-dashboard deployment by adding namespace to the helm-dashboard --namespace arg :)
Anyway thanks for help :)
Great that you found a solution!