Confirm whynot credential binding

This commit is contained in:
2026-06-27 23:45:31 +02:00
parent aee0dcefad
commit 52687d8b3e
6 changed files with 115 additions and 41 deletions

View File

@@ -149,6 +149,7 @@ make credential-change-render CREDENTIAL_CHANGE=CCR-2026-0001
make credential-change-plan CREDENTIAL_CHANGE=CCR-2026-0001
make credential-change-status CREDENTIAL_CHANGE=CCR-2026-0001
make credential-change-status-json CREDENTIAL_CHANGE=CCR-2026-0001
scripts/credential-change.py confirm-binding CCR-2026-0001 --reviewer <name> --comment "..."
scripts/credential-change.py approve CCR-2026-0001 --reviewer <name> --comment "..."
scripts/credential-change.py deny CCR-2026-0001 --reviewer <name> --comment "..."
scripts/credential-change.py needs-changes CCR-2026-0001 --reviewer <name> --comment "..."

View File

@@ -107,9 +107,10 @@ The role must attach only:
workload-kv-read-whynot-design-npm-publish
```
Before applying the role, confirm the KeyCape/NetKingdom claim that identifies
the whynot-design caller. The role must bind to that claim; do not create an
unbounded OIDC role that grants this policy to every OIDC user.
The whynot-design pilot claim is confirmed as `groups=whynot-design`. Before
applying any changed role, re-confirm the KeyCape/NetKingdom claim that
identifies the whynot-design caller. The role must bind to that claim; do not
create an unbounded OIDC role that grants this policy to every OIDC user.
If the consumer is an in-cluster service account instead of an OIDC caller, use
Kubernetes auth with the same role name and bind only the approved namespace