#5 . Finally I failed to persuade myself. And this feature still requires a lot of discussion from our community.

For features about creating new user, I'd like to provide more evidences on why we shouldn't provide this function:

1. Visual Studio: Windows is a multi-user system on PC, the developers login with different username and password. Then they can use Visual Studio to create a project, edit files, delete project, debug project. It's a really "platform" for programming.
   Chaos Mesh: Kubernetes is a multi-user platform for operating on clusters, the developers login with different User / ServiceAccount. Then they can use chaos-mesh dashboard to create a chaos resource, observe a chaos, remove a chaos. Chaos Mesh is also a "platform" even it doesn't provide functions like creating users.

2. Argo also provides a GUI and is also a platform on kubernetes (it can even manage CI/CD 😄 ). It won't create user in its dashboard.

3. TODO

I think this disagreement arises from the disagreement that: whether Chaos Mesh is a software ( or platform, if you like 😛 ) on kubernetes. You will never agree that Visual Studio should create Windows user, why do you want to create a user in chaos dashboard ?

In my point of view, kubernetes and cloud-native is always our first requirement and target for Chaos Mesh. Never forget our original intention please!

(Though we are planning to run chaos technology on bare metal, I believe we should create a standalone privilege system and scheduling system for it, because there is little in common between bare metal and cloud. The only thing we can reuse is the concrete implementation. )

There is a Fault scenario that can keep the POD in non-running state for a period of time, but the fault of POD kill can`t keep the POD in non-running state for a period of time.

This solution need chaos-dashboard has permission about create/get/update/delete on Role/RoleBinding/Service Account/Secrets.

I don't think chaos-dashboard should be with these permission. The user should provide a token with these permission to login and create a user in chaos-dashboard.

(Though I still think create user in chaos-dashboard is a little awkward, I will try to persuade myself as most of you agree that we should provide this function.)

I have asked @STRRL to investigate more about the ServiceAccount and normal user on kubernetes, but obviously this RFC "Authentication and authorization on chaos dashboard" doesn't contain any discussion about it.

It takes several months for kubernetes/dashboard to decide the best "security, auth and logging" in technology. I think our discussion is too hasty. Even after the discussion, most of us have little knowledge about the authentication in kuberentes, which is really dangerous and amazing.

Before the next discussion or comment, we may need to read these documents and former discussions (in other projects):

1. kuberentes authentication document

2. kuberentes certificate signing requests, especially the Normal User part

3. kubernetes dashboard related issue

Welcome to comment any learning resource under this issue. I'm willing to enrich this list.

And, welcome our community members to discuss under this issue. We need the help from experienced kubernetes user. However, I'm not 😿