https://github.com/stackabletech/kafka-operator/issues/724 shows that we don't really have a good way to identify a "machine user" that others can write authorization rules against. You could use the SANs we already set, but that can as often just identify the instance, rather than the app/group of instances (such as StatefulSet).
Perhaps it would make sense to use the pod's ServiceAccount? That said we should probably avoid the format serviceaccount.ns to prevent people confusing them with DNS names.
https://github.com/stackabletech/kafka-operator/issues/724 shows that we don't really have a good way to identify a "machine user" that others can write authorization rules against. You could use the SANs we already set, but that can as often just identify the instance, rather than the app/group of instances (such as StatefulSet).
Perhaps it would make sense to use the pod's ServiceAccount? That said we should probably avoid the format
serviceaccount.nsto prevent people confusing them with DNS names.