I guess the ship has probably sailed on this one, but we are using option 4 from #4043 to control accepting claims in a particular namespace.

We create an Azure User Assigned Identity->Federated Identity->AKS Service Account that has the namespaced rolebinding of crossplane-admin and then use the namespace annotations to control what claims are allowed to be managed in that namespace by that user.

The feature actually works really well and allows our web app to securely manage Azure infrastructure without having carte blanche access to the crossplane API or the Azure API. So in theory, if our webapp was compromised, the bad actors would only have access to the predetermined claim definitions in Azure (bad enough, but not enough to take over the subscription).

@jeremypng Yes unfortunately the ship has sailed. From what I can gather you may have been the only folks using this feature. Sorry!

FWIW I think this controller was pretty self-contained, so if you're up for maintaining it it should be relatively straightforward to take the code that was deleted in this PR and package it up as a standalone controller that can be deployed alongside Crossplane. I'd be happy for that to live in crossplane-contrib if anyone is interested in maintaining it.

I think it would be easier for us to just create a role for our Crossplane claims and apply that rolebinding to the user instead of the crossplane-admin role. We're not in a position to take on ownership of that code. At the end of the day, I guess the RBAC controller was just a convenience method. As much YAML as we have, what's a few hundred more lines... Thanks for the response.