Correct whynot credential tenant path
This commit is contained in:
parent
ad47a136f7
commit
eb24e04b71
10 changed files with 67 additions and 48 deletions
|
|
@ -137,12 +137,16 @@ Default pattern:
|
|||
workload namespace.
|
||||
3. Reference that Kubernetes Secret from the Deployment, Job, or CronJob.
|
||||
|
||||
Path convention:
|
||||
Path convention for workload credential custody:
|
||||
|
||||
```text
|
||||
platform/workloads/<namespace>/<service-account>/<secret-name>
|
||||
platform/workloads/<tenant-or-org>/<workload>/<secret-purpose>
|
||||
```
|
||||
|
||||
Kubernetes namespace and service-account bounds belong in the OpenBao auth role
|
||||
or External Secrets binding, not in the tenant segment unless the namespace is
|
||||
itself the approved workload identity.
|
||||
|
||||
Use CSI-mounted files only for workloads that need file references, sharper
|
||||
mount boundaries, or refresh behavior that should not rewrite application
|
||||
manifests. Do not use the OpenBao injector in the current deployment.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue