[x] What all is involved with the enforcement of this controller? (E.g. Gatekeeper policies, SAS notebooks, Kubeflow profiles, etc. - how do all of these entities interact?)
[x] I think a diagram might be helpful in this repository. Especially because (I think) other platform features will follow the pattern used in the SAS notebook feature.
Extra Info:
watches for SAS notebooks - if SAS notebook is present, then non-employee cannot be added. If non-employee is in namespace, then user cannot create SAS notebook
watches for rolebindings in profile namespace - if any non-employee user is present in namespace role binding, then add label saying this is a non-employee namespace
this controller sets labels that Gatekeeper uses to enforce policies
Documentation update: https://github.com/StatCan/daaas/issues/1068
watches for SAS notebooks - if SAS notebook is present, then non-employee cannot be added. If non-employee is in namespace, then user cannot create SAS notebook
watches for rolebindings in profile namespace - if any non-employee user is present in namespace role binding, then add label saying this is a non-employee namespace
this controller sets labels that Gatekeeper uses to enforce policies