bump kubernetes dashboard version #2789
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
|
Hi @gianrubio. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
needs-ok-to-test
|
/assign @sethpollack |
|
@chrislovecnm: GitHub didn't allow me to assign the following users: sethpollack. Note that only kubernetes members can be assigned. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@sethpollack can you review? |
|
@k8s-bot ok to test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
|
||
| --- | ||
| apiVersion: rbac.authorization.k8s.io/v1beta1 | ||
| kind: ClusterRoleBinding |
There was a problem hiding this comment.
I don't think we want to just assume that the dashboard should have cluster-admin access.
|
I borrowed this rules from the upstream
https://github.com/kubernetes/dashboard/pull/1856/files
What permission you recommended?
On Thu, 22 Jun 2017 at 20:16, Seth Pollack ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In addons/kubernetes-dashboard/v1.6.1.yaml
<#2789 (comment)>:
> +
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ labels:
+ k8s-app: kubernetes-dashboard
+ k8s-addon: kubernetes-dashboard.addons.k8s.io
+ k8s-app: kubernetes-dashboard
+ name: kubernetes-dashboard
+ namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
I don't think we want to just assume that the dashboard should have
cluster-admin access.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2789 (review)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AFbljJIJkKvpjZzIHrE02ic30Bl9TwS2ks5sGq-QgaJpZM4OBBCi>
.
--
Giancarlo Rubio
|
Correct, don't give the dashboard any permissions you don't want available to anyone with network visibility to pod or service IPs. I don't know what role I would expect as the default. Does kops have any indication whether the user wants a secured cluster they can open up permissions on as they wish, or a dev cluster that is wide open by default? |
|
Maybe don't bind to any role by default and let the user do that step manually. |
We do not have any expectation, other that a kops cluster is building a production grade cluster. We would like to lock it down, and allow a user to open the perms as needed. Just my two cents. |
|
@liggitt / @sethpollack any further recommendations? |
|
I would leave out the |
gianrubio
force-pushed
the
bump-dashboard
branch
5 times, most recently
from
4ddf99f to
1cfbec7
Compare
|
I removed the cluster role binding, I just bumping the dashboard version and creating a service account. |
|
lgtm, maybe just add something to the docs about the need to add your own role binding? |
gianrubio
force-pushed
the
bump-dashboard
branch
5 times, most recently
from
5d5fefe to
7f85391
Compare
add serviceaccount for kubernetes-dashboard and wrote docs related to rbac
gianrubio
force-pushed
the
bump-dashboard
branch
from
7f85391 to
f330b40
Compare
|
@sethpollack done, please review again! |
|
👍 |
|
/assign |
k8s-ci-robot
added
the
lgtm
|
merging per @sethpollack's review |
This change is