Allow users without access to flux-system to use the dashboard about weave-gitops HOT 7 OPEN

For tangerine to spike this work

from weave-gitops.

@yiannistri please share the notes you mentioned earlier.

from weave-gitops.

@enekofb I have attempted to install Weave GitOps in its own namespace with its own service account. We can use this as a starting point to determine what RBAC permissions we could drop (if any) in order to better support the use case mentioned above. If it helps, see my comment here.

from weave-gitops.

@yiannistri, maybe I am missing the connection but our concern is about the permissions that are required for the impersonated user and not for the SA of weave-gitops.

Our users (and possibly users of many clusters where flux multitenancy is in use) have only access to their own namespaces (plus they are able to list namespaces) and that is it. With this, they can work with flux cli (or kubectl) to verify their HelmReleases or Kustomizations. But with weave-gitops, nothing shows up on the dashboard at the moment.

from weave-gitops.

@Cajga the use case you describe makes sense. My suggestion was about the first step towards a solution, which would allow users to run Weave GitOps in its own namespace, instead of flux-system. Then we should evaluate what changes are needed (in RBAC and Go code) to support what you describe.

from weave-gitops.

@yiannistri thanks for the confirmation.

When I am dealing with RBAC, I use this tool heavily: https://github.com/liggitt/audit2rbac

I thought to mention it in case you do not know it. If it helps then I can make some tests and list here the RBAC that is needed for waeve-gitops installation in it's own namespace.

from weave-gitops.

Checking on this as this still makes weave-gitops unusable when flux multi-tenancy and OIDC is enabled for the cluster and for weave-gitops.

from weave-gitops.