Following the discussion on #137 (comment), we could add a complementary authorization check to secure impersonation by white-listing only the authorized service accounts.
This would be materialized by a new attribute on Organization entity (maybe defaulting to ["*"]?), allowing organization members to select only the Kubernetes service accounts that can impresonate them and manage the lifecycle of their resources.
Following the discussion on #137 (comment), we could add a complementary authorization check to secure impersonation by white-listing only the authorized service accounts.
This would be materialized by a new attribute on
Organizationentity (maybe defaulting to["*"]?), allowing organization members to select only the Kubernetes service accounts that can impresonate them and manage the lifecycle of their resources.