Confirm whynot credential binding
This commit is contained in:
@@ -107,9 +107,10 @@ The role must attach only:
|
||||
workload-kv-read-whynot-design-npm-publish
|
||||
```
|
||||
|
||||
Before applying the role, confirm the KeyCape/NetKingdom claim that identifies
|
||||
the whynot-design caller. The role must bind to that claim; do not create an
|
||||
unbounded OIDC role that grants this policy to every OIDC user.
|
||||
The whynot-design pilot claim is confirmed as `groups=whynot-design`. Before
|
||||
applying any changed role, re-confirm the KeyCape/NetKingdom claim that
|
||||
identifies the whynot-design caller. The role must bind to that claim; do not
|
||||
create an unbounded OIDC role that grants this policy to every OIDC user.
|
||||
|
||||
If the consumer is an in-cluster service account instead of an OIDC caller, use
|
||||
Kubernetes auth with the same role name and bind only the approved namespace
|
||||
|
||||
Reference in New Issue
Block a user