Description
After configuring the chart with oidc as per the docs I was surprised to see that by default, the headlamp SA mounted in the deployment runs with cluster-admin due to the headlamp-admin role that gets created:
A headlamp-admin CRB binds cluster-admin to headlamp which is used by the deployment.
https://github.com/headlamp-k8s/headlamp/blob/main/charts/headlamp/templates/clusterrolebinding.yaml
As far as I can see, headlamp is to be used with OIDC or SA tokens only - which are then further used for API access. Setting Values.clusterRoleBinding.create = false does not inhibit headlamp and the stock CRB appears unnecessary.
I don't know about you but I feel a lot better about the security posture of my cluster if web servers don't hold the keys to the kingdom on the server side.
Moreover I believe it causes confusion and conflicts with the docs on getting an SA token:
https://headlamp.dev/docs/latest/installation/
The docs suggest making a headlamp-admin -> headlamp-admin which overrides the headlamp-admin -> headlamp shipped by the chart. Something that is likely to break or flip-flop on upgrades.
Lastly I believe some users assume that the existing CRB should enable headlamp to work, and are confused by why they need more CRBs.
Is there a reason the helmchart adds that ClusterRoleBinding?