Open
Description
Description
Allow different levels of access for different CLI users. To start, it could be just two levels: list/get or list/get + deploy/delete.
Proposal
- use signed get-caller-identity to get the iam entity (user/role) used by the client
- compare iam entity against a map of iam entity to permissions perhaps stored in a configmap managed by cortex
- add documentation for how to assign k8s roles to IAM entity and how AWS users can assume IAM roles to access k8s resources
Alternatives
- integrate with eksctl iamidentitymapping (this can be tricky, how can the operator assume the iam entity of the client without explicitly passing the credentials over the network?)
- break up the operator and have the clients apply k8s resources directly (this is blocked on converting cortex artifacts to CRDs)
Useful design information is available in the conversations of this ticket #1134.