I've got a cluster with a number of already existing namespaces, and an automatization process that creates (and manages) new namespaces using Terraform.
The service account used for TF got the roles with permission to all namespaces - as I believe this is the only possible solution (TF needs them to manage namespaces).
But due to that, it is also able to modify (& delete) the namespaces that were created before, outside the Terraform processing - and this is something I'd like to prevent/block.
So here's my question - is it possible to restrict this automatization process from modifying already existing namespaces?
The idea to distinguish between old and new namespace is to simply add labels to the new ones created by TF, but I am not aware of any mechanism that could then prohibit modifications based on such labels...
*Admission controllers seem remotely suitable, but I'm completely new to that topic and not sure if those can be used for such purposes.