Confirm whynot credential binding
This commit is contained in:
@@ -149,6 +149,7 @@ make credential-change-render CREDENTIAL_CHANGE=CCR-2026-0001
|
||||
make credential-change-plan CREDENTIAL_CHANGE=CCR-2026-0001
|
||||
make credential-change-status CREDENTIAL_CHANGE=CCR-2026-0001
|
||||
make credential-change-status-json CREDENTIAL_CHANGE=CCR-2026-0001
|
||||
scripts/credential-change.py confirm-binding CCR-2026-0001 --reviewer <name> --comment "..."
|
||||
scripts/credential-change.py approve CCR-2026-0001 --reviewer <name> --comment "..."
|
||||
scripts/credential-change.py deny CCR-2026-0001 --reviewer <name> --comment "..."
|
||||
scripts/credential-change.py needs-changes CCR-2026-0001 --reviewer <name> --comment "..."
|
||||
|
||||
@@ -107,9 +107,10 @@ The role must attach only:
|
||||
workload-kv-read-whynot-design-npm-publish
|
||||
```
|
||||
|
||||
Before applying the role, confirm the KeyCape/NetKingdom claim that identifies
|
||||
the whynot-design caller. The role must bind to that claim; do not create an
|
||||
unbounded OIDC role that grants this policy to every OIDC user.
|
||||
The whynot-design pilot claim is confirmed as `groups=whynot-design`. Before
|
||||
applying any changed role, re-confirm the KeyCape/NetKingdom claim that
|
||||
identifies the whynot-design caller. The role must bind to that claim; do not
|
||||
create an unbounded OIDC role that grants this policy to every OIDC user.
|
||||
|
||||
If the consumer is an in-cluster service account instead of an OIDC caller, use
|
||||
Kubernetes auth with the same role name and bind only the approved namespace
|
||||
|
||||
Reference in New Issue
Block a user