Ah thanks! That makes sense. I’m not sure I caught this bit though:
Remember how we setup a groups property-mapper when deploying authentik? When kube-apiserver requests the
groupsscope from Authentik, the mapper will return all a user’s group names.
I don’t think I have anything linking the CRD to the group in Authentik. I’ll keep poking around.