DRAFT: @cbrown/1335 non employee rbac

[Collinbrown95]

Description

Refactor deny-external-users and deny-employee-only-features to make use of the new capability-based labels of profiles-state-controller. Specific changes

deny-external-users

• instead of checking if domain matches statcan employee domains, need to check also if the emails are in the non-employee-exceptions configmap.
• use new state.aaw.statcan.gc.ca/has-sas-notebook-feature label to determine if the namespace already has a pod with the sas-notebook feature.

In summary: if the user being added does not have a Statcan domain or is in the list of exception cases, and the user is being added to a namespace that has state.aaw.statcan.gc.ca/has-sas-notebook-feature: true (i.e. there is a pod with the sas-notebook feature enabled), then the request should be denied since a non-employee user without an exception is being added to a namespace with the sas-notebook feature present in at least one pod.

deny-employee-only-features

• same logic as before, except the label is now state.aaw.statcan.gc.ca/exists-non-sas-notebook-user instead of state.aaw.statcan.gc.ca/non-employee-users.

In summary: if a pod with a SAS image is being created in a namespace with state.aaw.statcan.gc.ca/exists-non-sas-notebook-user: true, then the request should be denied as there exists at least one user in the namespace who does not have the sas-notebook capability.

[Collinbrown95]

Closing in favour of https://github.com/StatCan/gatekeeper-policies/pull/46