gke-identity-isolation-shifts-risk-to-namespace-discipline

Status: OUT

GKE Workload Identity addresses service account key risks (dual nature, default editor role, impersonation surface) but shifts security requirements to namespace and naming discipline — same namespace + same KSA name = same GCP identity regardless of intent, requiring organizational practices rather than just enabling the feature.

JSON