Option to designate PaaS Grade (Secure) Cluster
Problem to solve
As an operator, when I provision an instance-level cluster, I want to ensure that only certain types of resources as deployed to it so that I can use it effectively and reduce the risk within these deployments.
When a user adds a cluster to a group or instance then they can designate it as a "PaaS" cluster, which will:
- Installs CRD + Operator onto your cluster OR Install admission controller (TBD)
- All new JIT service accounts only have permissions to CRUD this CRD
Reference implementation: https://gitlab.com/proglottis/paas-operator
Permissions and Security
Only instance admins or group maintainers+ will be able to exercise this setting.
What does success look like, and how can we measure that?
Links / references
Kubernetes admission controller https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/