[Feature]: Document a policy example for cluster API

[pierreozoux]

Explain problem to solve

We want to have a tight configuration of EIM policy associated to this controller.

Describe the solution you would like

We'd like a nice policy json example, like here:

• https://github.com/outscale/cloud-provider-osc/blob/578494e159e8e0f6abd772db22364c4f4f453288/deploy/eim-policy.example.json#L4
• https://github.com/outscale/osc-bsu-csi-driver/blob/3f9d1858b5295546313303e6fe0a2b3b277abaaf/docs/example-eim-policy.json#L4

Additional context

,

Environment

.

[Olivier-Heintz]

first proposition: autorize all api except api relative to EIM management. result will be 2 policies :

1. autorize all api
2. explicit deny api relative to EIM management

{
    "Statement": [
        {
            "Action": [
                "api:*"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

and

{
    "Statement": [
        {
            "Action": [
                "api:*AccessKey*",
                "api:*Account*",
                "api:*ApiAccessRule*",
                "api:CreateCa",
                "api:DeleteCa",
                "api:UpdateCa",
                "api:*User*",
                "api:ReadAdminPassword",
                "api:*ApiAccessPolicy",
                "api:ReadEntitiesLinkedToPolicy",
                "api:*Policies",
                "api:*Policy"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny"
        },
        {
            "NotAction": [
                "api:CreateLoadBalancerPolicy",
                "api:DeleteLoadBalancerPolicy"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Deny"
        }
    ]
}

this configuration is not yet tested (i have a doubt about Effect value for NotAction)

[outscale-hmi]

Hello, We will test it on our end and keep you updated today.