For reference the design we have been working from places nodepool as a Cloud-Services managed resource that is offered to Release-Engineering-Team (or whoever) as it is more or less a part of labs and will need to be managed by the Cloud-Services team. To get things done (tm) we all agreed to get @hashar root so SRE wasn't blocking his initial configuration (which was grudgingly accepted as happening on this real physical host and not in a test scenario). But this is all temporary. The plan is once everything is puppetized we reimage with a sane permissions and user scheme before this sees the light of production :)
It seems the original changeset may have been over-permissioned to https://phabricator.wikimedia.org/diffusion/OPUP/browse/production/hieradata/hosts/labnodepool1001.yaml already idk, but the root case has been a definite temporary one-off.
I created this task in a hurry following a 1/1 I had with @dduvall. Following the Release-Engineering-Team offsite we decided to work more closely together inside the team, and hence Dan is going to take the lead on CI isolation just like me :-}
So the root request for labnodepool1001.eqiad.wmnet is still in the context of setting up the proof of concept and the access should indeed be removed once we switch to the real production service. I have updated T95303: Remove hashar and dduvall root access on to be installed labnodepool1001 already so we remember to remove Dan access as well.
I guess we will want to determine the fine sudo access we will end up needing. I have filled that as T102281.