Summary
The bobrapet manager currently requires cluster-wide create/get/patch permissions on Secret and ServiceAccount objects to reconcile managed runner identities, trigger-data Secrets, and S3 auth copies.
Problem
Broad cluster-scoped mutation grants violate least-privilege and raise concerns in multi-tenant environments. Runtime collision guards already prevent blind adoption, but the permission surface is wider than necessary.
Proposed change
Redesign ownership and namespace boundaries so secret propagation and managed runner identities work without broad cluster-scoped mutation grants. Possible approaches:
- Namespace-scoped operator instances
- Delegated secret copying via a sidecar or job
- Reference-based secret consumption instead of copying
References
Summary
The bobrapet manager currently requires cluster-wide
create/get/patchpermissions onSecretandServiceAccountobjects to reconcile managed runner identities, trigger-data Secrets, and S3 auth copies.Problem
Broad cluster-scoped mutation grants violate least-privilege and raise concerns in multi-tenant environments. Runtime collision guards already prevent blind adoption, but the permission surface is wider than necessary.
Proposed change
Redesign ownership and namespace boundaries so secret propagation and managed runner identities work without broad cluster-scoped mutation grants. Possible approaches:
References