You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In the [single cluster multitenancy] proposal, the functional requirement [FR4] introduced the use of cluster-wide resources, managed by the CAPI maintainers and
hence preventing privilege escalation, through administrator review.
In large organisations favouring autonomy, this brings high responsibility on the team operating CAPA. They need to judge which roles can be used in which namespaces.
This breaks the autonomy principle those organisations have.
In this situation, the current model introduces two sources to trust (the CAPA operator and the team operating it) and reduces the cluster operator autonomy to create
clusters in new accounts.
Goals
---
1. To enable AWSIdentity resources granting autonomy to cluster administrators to deploy clusters in their own accounts
2. To enable cluster administrators to allow of forbid AWSIdentities in their accounts
0 commit comments