Use dedicated token for k8s web terminal connections
Problem to solve
Currently, k8s web terminal connections use the SA token with administrative privileges for web terminals.
Further details
For increased security we should curb the use of admin tokens where possible.
Proposal
Add a second configuration parameter called "Online terminal token" to the service, and use that instead of the normal token for terminal access (if present).
That would allow privilege separation to happen now for people who need it - they'd manually generate a token with the appropriate RBAC authorization and add it to settings. We could automate the generation of that token in the future.
What does success look like, and how can we measure that?
(If no way to measure success, link to an issue that will implement a way to measure this)