prehistoric-london-991712/05/2022, 7:52 PM
to be deployed. Is there a way to have one deployment of the operator that monitors all the cluster namespaces for
? Seems a waste of resources to have to deploy it everywhere. Or am I missing something?
gorgeous-egg-1692712/05/2022, 8:46 PM
prehistoric-london-991712/05/2022, 10:07 PM
gorgeous-egg-1692712/05/2022, 10:13 PM
prehistoric-london-991712/05/2022, 10:18 PM
namespace, and use an IAM service-account linked role bind to the operator SA. The IAM role would have an AWS
IAM policy attached to it. We’d then back that up with something like Gatekeeper or Kyverno to control what kinds of things `Program`s or `Stack`s could do with a validating admission policy. Then people would deploy programs or stacks in any namespace, and the operator would action them. One question though: Does the operator that’s running the
use the role that is linked to the SA? In other words, would we still need to provide an AWS Access Key and secret key for stacks to deploy properly?
gorgeous-egg-1692712/05/2022, 10:21 PM
eager-football-631712/05/2022, 10:28 PM
We’d then back that up with something like Gatekeeper or Kyverno to control what kinds of things `Program`s or `Stack`s could do with a validating admission policy.I think you will find this difficult, in general. You might be able to constrain which git repos Stacks can use. But you’d also have to control what goes in those repos.
prehistoric-london-991712/07/2022, 8:42 PM
eager-football-631712/07/2022, 9:52 PM