GrafanaDatasource and dashboard to easy to sync with any grafana instance

[NissesSenap]

Issue scenario: A big company want to use the grafana-operator to host multiple different grafana instances with multiple different dashboards/datasources.

The company use different grafana instances to separate data sharing between the teams.
If a malicious user with namespace access want to get access to the grafanadatasource of another team all he needs to do is to create a grafana instances that matches the same labels that the other team uses.

Solution

You could argue that this is something that the cloud administrators should think about and hinder by setting ValidatingAdmissionWebhooks.
But a general best practice to follow is to make a project as easy as possible to use securely.

To make this I think that we should introduce a new config value to the grafanadatasource and grafanadashboard being something like namespaceLocalOnly which should be true by default.
If this value is true the operator won't sync to any grafana instance outside of that namespace.

I still think it's important to support being able to have a single grafana instances that multiple users/teams/namespace can contribute to. But I think the general use case will be one grafana instance in one namespace with the same datasource and dashboards in the same namespace.

[pb82]

This solves a real problem, but we need a descriptive name for the field and point it out in documentation that this is the default behaviour. If you want you can have dashboards in one and Grafana in another namespace.