Add Infisical token-reviewer RBAC for Kubernetes Auth

Phase 2 Step 2: dedicated SA infisical-token-reviewer bound to
system:auth-delegator (TokenReview), explicit long-lived SA token Secret
(k8s 1.34 doesn't auto-create). ArgoCD ignores /data so selfHeal won't
strip the controller-populated token. Token value never committed.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-06-18 16:05:59 +00:00
co-authored by Claude Opus 4.8
parent 2c81ab03a7
commit 5f6b491ed3
4 changed files with 52 additions and 0 deletions
@@ -0,0 +1,12 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: infisical-token-reviewer-auth-delegator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator # grants TokenReview create
subjects:
- kind: ServiceAccount
name: infisical-token-reviewer
namespace: infisical-operator
@@ -0,0 +1,10 @@
apiVersion: v1
kind: Secret
metadata:
name: infisical-token-reviewer
namespace: infisical-operator
annotations:
kubernetes.io/service-account.name: infisical-token-reviewer
type: kubernetes.io/service-account-token
# .data is populated by the cluster token controller — never committed to git.
# ArgoCD ignores /data on this Secret (see application-infisical-operator-rbac.yaml).
@@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: infisical-token-reviewer
namespace: infisical-operator