How to Implement Least Privilege for Developers Using CloudNativePG?

Consider leveraging tools like Kyverno or OPA to restrict the namespaces where they can deploy the CloudNativePG operator. This could help enforce your least privilege approach.

I think it's best for your team to manage the operator. The developers should be focusing on utilizing it rather than operating it themselves.

Yes, the easy route is to limit their permissions to just the Custom Resources and ConfigMaps. This allows them to create and configure managed clusters without giving them broader access, and they won’t need to interact with the cnpg-system namespace either. You can handle the operator management while they just focus on their own resources.

One option is to provide the developers with a 'fake' cluster that they can fully own without any access to the real one. At a previous company, we used vCluster to create virtual Kubernetes clusters for development teams. This way, they had the freedom to install CRDs and Operators without affecting the main cluster. It alleviates the headaches of managing multi-tenancy as they can do whatever they want on their virtual environment!

You don’t have to use the service account and cluster role that comes with the CloudNativePG Helm chart. You can create your own service account and attach it directly to the pod instead. This gives you more control over what they can access.