Previously, when a user registered and logged into the holos app server,
they were able to reach admin interfaces like
https://argocd.admin.example.com
This patch adds AuthorizationPolicy resources governing the whole
cluster. Users with the prod-cluster-{admin,edit,view} roles may access
admin services like argocd.
Users without these roles are blocked with RBAC: access denied.
In ZITADEL, the Holos Platform project is granted to the CIAM
organization without granting the prod-cluster-* roles, so there's no
possible way a CIAM user account can have these roles.
Previously, when a user registered and logged into the holos app server, they were able to reach admin interfaces like https://argocd.admin.example.com
This patch adds AuthorizationPolicy resources governing the whole cluster. Users with the prod-cluster-{admin,edit,view} roles may access admin services like argocd.
Users without these roles are blocked with RBAC: access denied.
In ZITADEL, the Holos Platform project is granted to the CIAM organization without granting the prod-cluster-* roles, so there's no possible way a CIAM user account can have these roles.
Closes: #181