Insecure default: Helm chart grants cluster-admin to the Pod automatically

[cacarico]

Hey folks,

I was setting up Headlamp via Helm and saw that by default the chart creates a ClusterRoleBinding that grants cluster-admin permissions to the headlamp ServiceAccount (the one running the Pod).

I think we face 2 issues here:

1. Security: Giving the web server pod cluster-admin violates the principle of least privilege. If the pod is compromised, the attacker has full cluster access without needing a user token. Since Headlamp relies on the user providing their own Bearer Token to authenticate against the K8s API, the Pod itself shouldn't need root privileges to the entire cluster.

2. Confusion: The docs say to create a headlamp-admin SA and a CRB for it. But the Helm chart creates a CRB named headlamp-admin by default. If the user follows the documentation they will face:

error: failed to create clusterrolebinding: clusterrolebindings.rbac.authorization.k8s.io "headlamp-admin" already exists

The chart appends -admin to the CRB's name.

headlamp/charts/headlamp/templates/clusterrolebinding.yaml

Lines 3 to 5 in d9a3326

	kind: ClusterRoleBinding
	metadata:
	name: {{ include "headlamp.fullname" . }}-admin

Suggestions:
Remove the -admin from CRBs name and change the default value for clusterRoleName to view`.

PR: #4437