The API requires access to the K8s API to deploy and manage MW environments. In production, the access is provided with a Kubeconfig file that uses the default user and basically gives unrestricted access to the cluster. The Kubeconfig is put in the fileystem via an init container: https://gitlab.wikimedia.org/repos/qte/catalyst/catalyst-api/-/merge_requests/42

There are probably alternatives to this approach that we want to investigate. In particular it would be interesting to see if we can restrict access while still allowing the API to handle envs as required.