To dynamically provision pods, we need to either store the full job spec in the
calling code (eew) or have the calling code generate an instance of a Custom
Resource Definition. That alone doesn’t do anything, you need to write a
Custom Controller.
To have a pod call into k8s directly, we need a service account. There’s a
default one, but it doesn’t have permissions for listing CRDs.
We can validate that the underlying resource is accessible via:
Those environment variables and files are present by default in all pods.