[streetcat1]

so, can you compare this to the OPA? Are you integrating with the OPA?

Also, there was an old project called casbin which is used by ArgoCD.

In my system, I created an Account CRD and let an account controller do all the logic. This way you do not need another api server.

[jnardiello]

Not related to OPA. This is not an admission webhook, nor deals with gatekeeper and such, it does not enforce policies. It's a simple abstraction on the certs creation mechanisms and native Kubernetes RBAC.