Open v0lkan opened 8 months ago
Not sure this falls within the domain of VSecM.
This is more of the ballpark domain of tools like OPA.
Maybe we can create a demo that uses OPA to achieve this functionality. But that also might mean sentinel shall know how to query OPA.
When creating a secret, the operator can enforce a policy.
The policy can be global, per workload, or per secret (based on workload/secret-name unique key)
The policy shall be externally created, and if there is a policy, creating secrets against that policy shall be denied.
The operator can delete the policy, of course, but their deletion (and policy creation) actions shall be logged for audit purposes.