Add Infisical token-reviewer RBAC for Kubernetes Auth
Phase 2 Step 2: dedicated SA infisical-token-reviewer bound to system:auth-delegator (TokenReview), explicit long-lived SA token Secret (k8s 1.34 doesn't auto-create). ArgoCD ignores /data so selfHeal won't strip the controller-populated token. Token value never committed. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -0,0 +1,10 @@
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: infisical-token-reviewer
|
||||
namespace: infisical-operator
|
||||
annotations:
|
||||
kubernetes.io/service-account.name: infisical-token-reviewer
|
||||
type: kubernetes.io/service-account-token
|
||||
# .data is populated by the cluster token controller — never committed to git.
|
||||
# ArgoCD ignores /data on this Secret (see application-infisical-operator-rbac.yaml).
|
||||
Reference in New Issue
Block a user