[14:58:45] <klausman>	 akosiaris: I created https://gerrit.wikimedia.org/r/c/operations/deployment-charts/+/991309 to do the above-mentioned and added you as a reviewer. Feel free to redirect the review as is needed/useful
[15:39:18] <akosiaris>	 klausman: quick q if you are still around. I see kind: Group and name: system:serviceaccounts:experimental. How do you intend to give serviceaccount access to the people mentioned in the commit message? 
[15:40:28] <akosiaris>	 you quite possibly already know this, but a service account is supposed to provide an identity to a process that runs in a pod in the cluster. Not to a human directly. 
[15:40:33] <klausman>	 Good question. My understand is that this would be done by a file in /etc/k8s on the deployment server? I banged my head at the k8s rbac model for a week and mostly wanted to get out something reviewable. Pointers on how to do it right much appreachted
[15:40:46] <akosiaris>	 the rest of the file is ok btw
[15:41:18] <akosiaris>	 ah, ok /etc/k8s on deployment hosts has nothing to do with k8s serviceaccounts.
[15:41:41] <akosiaris>	 serviceaccounts are really meant to be internal to the cluster, not to be used to talk to the api from outside the cluster
[15:42:01] <akosiaris>	 let me comment on in the gerrit change then and suggest something
[15:42:26] <klausman>	 ty!
[16:05:20] <akosiaris>	 done
[16:25:14] <klausman>	 have a splendid weekend, I'll implement your suggestions on Monday. One question tho: are the two d-c and puppet changes independent or does one have to be merged and pushed first?