In an Enterprise, Spinnaker is configured with a service account connecting to the cluster with clusterrole permissions to core api groups. What is a recommended practice to provide visibility to a subset of namespaces based on user login to Spinnaker for pipeline creation?
Create multiple accounts in the hal/clouddriver config with same K8s service account to connect to K8s, then restrict the namespaces for the corresponding Spinnaker account. When user logs in the authorization group will have permissions set using fiat to one Spinnaker account that has the relevant namespace restriction of K8s.
K8s service account configured in Spinnaker supports impersonation. When a user logs in, Spinnaker will impersonate the user to retrieve namespaces, secrets and other information from K8s cluster.
There is oAuth Scope parameter in the config file for K8s in Spinnaker. Not sure how this works, but guessing this can be used similar to option 1.
There could be other ways if one can generate kubeconfig for service accounts that have restricted permissions to certain namespaces and can be used by Spinnaker to operate on those namespaces.
Look forward to get an understanding on what is possible and recommended options for multiple groups deploying to K8s using Spinnaker.