According this, seems the wf’s start is not limited by it’s own starter, how to make sure my wf safe: not be executed wrongly by other one within same namespace?
There are two layers at which you can control who can access what resources.
-
Client connection can be restricted with mTLS, to make sure only clients with proper certificates can connect to the cluster.
-
Authorization of individual API calls can be established via the
Authorizer/ClaimMapperplugin mechanism.
The typical approach is to restrict access on a per-namespace basis and check that the caller has proper permissions for the namespace. The check can also be done at a finer grain lever if necessary by analyzing the Request object.
Thanks Sergey.
1 Like