# Least-privilege policy for the External Secrets Operator issue-core pilot. # # The matching Kubernetes auth role binds only the ESO service account in the # external-secrets namespace. ClusterSecretStore usage is separately limited to # the issue-core namespace. path "platform/data/workloads/issue-core/issue-core/*" { capabilities = ["read"] } path "platform/metadata/workloads/issue-core/issue-core/*" { capabilities = ["read", "list"] }