PaaS CRD to restrict deployment only to Knative services
Problem to solve
As an operator, when I provision an instance-level cluster, I want to ensure that only certain types of resources as deployed to it so that I can use it effectively and reduce the risk within these deployments.
Intended users
Operators
Further details
Proposal
When a user adds a cluster to a group or instance then they can designate it as a "PaaS" cluster, which will:
- Installs CRD + Operator onto your cluster OR Install admission controller (TBD)
- All new JIT service accounts only have permissions to CRUD this CRD
Reference implementation: https://gitlab.com/proglottis/paas-operator
Permissions and Security
Only instance admins or group maintainers+ will be able to exercise this setting.
Documentation
What does success look like, and how can we measure that?
Links / references
Kubernetes admission controller https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
https://docs.google.com/document/d/1cSsXaGG6vg1_VSnxheoOTHx8UzTtCr2Yzhdhcpyj6ys/edit#
Edited by Daniel Gruesso