Correct whynot credential tenant path
This commit is contained in:
@@ -137,12 +137,16 @@ Default pattern:
|
||||
workload namespace.
|
||||
3. Reference that Kubernetes Secret from the Deployment, Job, or CronJob.
|
||||
|
||||
Path convention:
|
||||
Path convention for workload credential custody:
|
||||
|
||||
```text
|
||||
platform/workloads/<namespace>/<service-account>/<secret-name>
|
||||
platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>
|
||||
```
|
||||
|
||||
Kubernetes namespace and service-account bounds belong in the OpenBao auth role
|
||||
or External Secrets binding, not in the tenant segment unless the namespace is
|
||||
itself the approved workload identity.
|
||||
|
||||
Use CSI-mounted files only for workloads that need file references, sharper
|
||||
mount boundaries, or refresh behavior that should not rewrite application
|
||||
manifests. Do not use the OpenBao injector in the current deployment.
|
||||
|
||||
Reference in New Issue
Block a user