larsks
commented
1 month ago @joachimweyl this is the issue re: tracking cluster-wide resources associated with projects.
Open larsks opened 1 month ago
larsks
commented
1 month ago @joachimweyl this is the issue re: tracking cluster-wide resources associated with projects.
larsks
commented
1 month ago @jtriley suggests that simply labelling this resources would be a reasonable starting point. How are coldfront projects identified? I see that our project namespaces have a cf_project_id attribute; should we use that? Or should we use the namespace name (like nextgen-justice-4d21a9).
In #756, we need to create a custom ClusterRoleBinding to grant Jason Schlessman read access to Node resources. The way things work now, this custom resource will hang around even after Jason's access to the production cluster has expired.
While most custom rbac we add to the cluster is confined within the project namespace (which means it will be cleaned up if/when the project is deleted), we ought to have a way of attaching cluster-scoped resources to coldfront allocations so that when a project expires, all the associated resources get cleaned up.