[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [che-dev] Pre-existing workspace service account
|
I am +1 for the "let's make this work" approach. And we can use an optional annotation on the SA to change the behavior to "do not touch"
Hi all,
There is this behavior within the Che server that we always seem to do a
couple of circles around whenever someone hits some kind of problem in the
area.
The issue is this: Currently, we don't touch the workspace service account if
we find it already existing.
This means that the role bindings are not updated on it, nor are any
potentially missing roles created or updated, if we find them missing or
configured differently.
The reasoning behind this is that if we find a pre-existing SA in the
namespace we want to start a workspace in, we assume that the cluster admin
already did their homework and set up the permissions for Che the way they
want and need in their cluster.
We could argue in favor of the other behavior and update the service account
with the stuff we need regardless of whether it existed or not. This would be
more convenient, but in theory could hamper with the security constraints
imposed by the cluster admin.
WDYT? Do you favor the current "do not touch" approach or the more convenient
"let's make this work" approach?
Thanks,
Lukas
_______________________________________________
che-dev mailing list
che-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/che-dev
