Most Kubernetes users I have worked with integrated with some cloud provider auth or similar to grant permissions to Kubernetes resources.
I can see this being useful for smaller deployments or when such integrations are unavailable but it might be worth explaining that in the readme of the project.
Also, how do you see this working in the config as code / ‘gitops’ world? How does this work for clusters in different environments?
So, this is mostly recommended (as you said) for smaller projects/teams/orgs but we figured out this would still be useful to many so we just open sourced it.
It's also entirely true that you can use it in any cluster, as Kubernetes under the hood does NOT have any concept of "user" it's just a bunch of certificates with some roles attached, so you can actually deploy it anywhere and you can use to release certs on the fly for your users.
As for gitops, that's a great questions we got asked a few times today. It's just no there right now, this is a nice web ui wrapping RBAC primitives. We'll surely be working on it soon.
Hopefully, this was clear. Let me know if you have more questions.
For me personally, I've spent the weekends of the last two months learning ldap basics only to find out that k8s+ldap is another mess on its own.
Also, there was an old project called casbin which is used by ArgoCD.
In my system, I created an Account CRD and let an account controller do all the logic. This way you do not need another api server.
