According this, seems the wf’s start is not limited by it’s own starter, how to make sure my wf safe: not be executed wrongly by other one within same namespace?
There are two layers at which you can control who can access what resources.
Client connection can be restricted with mTLS, to make sure only clients with proper certificates can connect to the cluster.
Authorization of individual API calls can be established via the
The typical approach is to restrict access on a per-namespace basis and check that the caller has proper permissions for the namespace. The check can also be done at a finer grain lever if necessary by analyzing the