prod{access,vider}: implement
Prodaccess/Prodvider allow issuing short-lived certificates for all SSO
users to access the kubernetes cluster.
Currently, all users get a personal-$username namespace in which they
have adminitrative rights. Otherwise, they get no access.
In addition, we define a static CRB to allow some admins access to
everything. In the future, this will be more granular.
We also update relevant documentation.
Change-Id: Ia18594eea8a9e5efbb3e9a25a04a28bbd6a42153
diff --git a/cluster/kube/lib/registry.libsonnet b/cluster/kube/lib/registry.libsonnet
index 1ce022d..a791acf 100644
--- a/cluster/kube/lib/registry.libsonnet
+++ b/cluster/kube/lib/registry.libsonnet
@@ -152,11 +152,12 @@
},
local data = self,
pushers:: [
- { who: ["q3k", "inf"], what: "vms/*" },
- { who: ["q3k", "inf"], what: "app/*" },
- { who: ["q3k", "inf"], what: "go/svc/*" },
+ { who: ["q3k", "informatic"], what: "vms/*" },
+ { who: ["q3k", "informatic"], what: "app/*" },
+ { who: ["q3k", "informatic"], what: "go/svc/*" },
{ who: ["q3k"], what: "bgpwtf/*" },
{ who: ["q3k"], what: "devtools/*" },
+ { who: ["q3k", "informatic"], what: "cluster/*" },
],
acl: [
{