prehistoric-london-9917
12/05/2022, 7:52 PMStacks
and Programs
to be deployed.
Is there a way to have one deployment of the operator that monitors all the cluster namespaces for Stacks
and Programs
? Seems a waste of resources to have to deploy it everywhere. Or am I missing something?gorgeous-egg-16927
12/05/2022, 8:46 PMprehistoric-london-9917
12/05/2022, 10:07 PMgorgeous-egg-16927
12/05/2022, 10:13 PMprehistoric-london-9917
12/05/2022, 10:18 PMpulumi-operator
namespace, and use an IAM service-account linked role bind to the operator SA. The IAM role would have an AWS AdministratorAccess
IAM policy attached to it. We’d then back that up with something like Gatekeeper or Kyverno to control what kinds of things `Program`s or `Stack`s could do with a validating admission policy. Then people would deploy programs or stacks in any namespace, and the operator would action them.
One question though: Does the operator that’s running the Program
use the role that is linked to the SA? In other words, would we still need to provide an AWS Access Key and secret key for stacks to deploy properly?gorgeous-egg-16927
12/05/2022, 10:21 PMeager-football-6317
12/05/2022, 10:28 PMWe’d then back that up with something like Gatekeeper or Kyverno to control what kinds of things `Program`s or `Stack`s could do with a validating admission policy.I think you will find this difficult, in general. You might be able to constrain which git repos Stacks can use. But you’d also have to control what goes in those repos.
prehistoric-london-9917
12/07/2022, 8:42 PMeager-football-6317
12/07/2022, 9:52 PM