Enterprise Grade CRD to restrict deployment in group or instance Kubernetes cluster

Problem to solve

As an operator, when I provision an instance-level cluster, I want to ensure that only certain types of resources as deployed to it so that I can use it effectively and reduce the risk within these deployments.

Intended users

Operators

Further details

Proposal

When a user adds a cluster to a group or instance then they can designate it as a "Enterprise Grade" cluster, which will:

• Installs CRD + Operator onto your cluster OR Install admission controller (TBD)
• All new JIT service accounts only have permissions to CRUD this CRD

Reference implementation: https://gitlab.com/proglottis/paas-operator

Permissions and Security

Only instance admins or group maintainers+ will be able to exercise this setting.

Documentation

What does success look like, and how can we measure that?

Links / references

Kubernetes admission controller https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/

https://docs.google.com/document/d/1cSsXaGG6vg1_VSnxheoOTHx8UzTtCr2Yzhdhcpyj6ys/edit#

This page may contain information related to upcoming products, features and functionality. It is important to note that the information presented is for informational purposes only, so please do not rely on the information for purchasing or planning purposes. Just like with all projects, the items mentioned on the page are subject to change or delay, and the development, release, and timing of any products, features, or functionality remain at the sole discretion of GitLab Inc.