Confirm whynot credential binding

This commit is contained in:
2026-06-27 23:45:31 +02:00
parent aee0dcefad
commit 52687d8b3e
6 changed files with 115 additions and 41 deletions

View File

@@ -107,9 +107,10 @@ The role must attach only:
workload-kv-read-whynot-design-npm-publish
```
Before applying the role, confirm the KeyCape/NetKingdom claim that identifies
the whynot-design caller. The role must bind to that claim; do not create an
unbounded OIDC role that grants this policy to every OIDC user.
The whynot-design pilot claim is confirmed as `groups=whynot-design`. Before
applying any changed role, re-confirm the KeyCape/NetKingdom claim that
identifies the whynot-design caller. The role must bind to that claim; do not
create an unbounded OIDC role that grants this policy to every OIDC user.
If the consumer is an in-cluster service account instead of an OIDC caller, use
Kubernetes auth with the same role name and bind only the approved namespace