We have highlighted some open questions related to security.

In particular, how to augment the spec so we can enforce proper authority of certain actions:

• does the user have the authority to create a ServiceBinding CR?
• does the user have the authority to access the binding data for all requested services?
• does the user have the authority to modify the source application with the injected binding data?

This issue will discuss how to move this forward.