Support for access restriction on consumer kubeconfig to specific Namespaces #1439
Description
Following requirement came up recently in one of our client interactions.
They want to create separate application instances - dev, test, prod - and give access to these instances to specific users.
As a general description, imagine an application provider (e.g.: WordPress provider) creates an Application for a customer, say wp1. The Kubernetes resources for this instance will be created in the wp1 namespace. The application provider should be able to create consumer kubeconfig files in that namespace (wp1) with permissions that are restricted to that namespace only.
We support the ability to create consumer kubeconfigs via provider-kubeconfig.py. We first create a ServiceAccount for the consumer and then generate a kubeconfig file for that consumer. The SA is created in the same namespace where KubePlus is installed. The default permissions on this kubeconfig are - readonly access to most of the K8s resources across all the Namespaces. We want to evolve this to support the above requirement.
The idea will be to take the target Namespace as input when creating the consumer ServiceAccount and creating RBAC policies for that ServiceAccount scoped to that Namespace.