Hi there. Looking at Fleet and it looks awesome for what we are trying to achieve. Is there any resource or best practice around locking down the fleet agent interface? especially for an edge scenario where the edges are out in the wild (so the Fleet controller needs to be accessible securely over the internet over TLS etc). We want to use Fleet to manage Edges clusters that would live in customer environment (running our software). Does the fleet agent access limited resources on the Cluster? eg. Can we lock down access to only the kube API resources with a proxy/gateway that are accessed the fleet agent. I see BundleDeployment, wondering if this is all that is needed by the agent

After the agent is registered, it uses the

request

service account to access resources in the cluster namespace (bundledeployments and secrets) and content resources. It can also update the cluster status in cluster registration namespace. The local cluster is treated like any other cluster, so you can install fleet and inspect the service account used by the local agent to find out more.