Omit creation of default RBAC rules on select organization namespaces

Problem

We use services (eg "VSHN Application Catalog") that will create namespaces (managed by the service) for the end users. Those managed namespaces will also have the corresponding orgainzation label set (mostly for billing purposes). By default, this will give the organization users full access to those managed namespaces and would allow the users to manipulate any services running in those managed namespaces in an undesired way. To avoid that, the default RBACs should not be created for such namespaces.

Proposals

  1. Create a new label appuio.io/access-level where you can define the access level for the namespace, for example::

    • appuio.io/access-level: read-write — read-write access for the organization — equivalent to omitting the label.

    • appuio.io/access-level: read-only — read-only access for the organization

    • appuio.io/access-level: none — no access for the organization

  2. Create a new label appuio.io/no-rbac-creation where you can define if the default RBACs should be created (read-write access) or not (no access at all)::

Decision

Create a new label appuio.io/no-rbac-creation

Rationale

Multiple access levels introduce more complexity, furthermore it is desired to manage the RBAC direclty with AppCat in the compositions. A simple flag to not add any RBAC is thefore sufficient for this usecase. As we currently don’t have any usecase for multiple access levels, this idea was dropped.