Keep the operator identity surfaces separate in your head.
The controller, workload pods, and day 2 executor jobs do not share one identity. This page helps you trace which Kubernetes ServiceAccount maps to which OpenBao auth and authorization surface so custom installs do not drift.
Reference table
Identity map
| Actor | Kubernetes identity | OpenBao auth | Primary boundary |
|---|---|---|---|
| Provisioner | Provisioner ServiceAccount in the operator namespace | None | Kubernetes RBAC only |
| Controller | Controller ServiceAccount in the operator namespace | Projected JWT token bound to the openbao-operator role | Kubernetes RBAC plus OpenBao maintenance policy |
| Main OpenBao Pods | Per-cluster ServiceAccount in the tenant namespace | OpenBao server runtime auth and configured seal/unseal integration | Kubernetes workload identity plus OpenBao runtime configuration |
| Backup Job | Generated backup ServiceAccount in the tenant namespace | Projected JWT token or explicit backup token Secret | Snapshot policy plus backup-target credentials |
| Restore Job | Generated restore ServiceAccount in the tenant namespace | Projected JWT token or explicit restore token Secret | Restore policy plus restore-source credentials |
| Upgrade Job | Generated upgrade ServiceAccount in the tenant namespace | Projected JWT token | Upgrade policy for rolling or blue-green operations |
Reference table
Install-sensitive checks
| Surface | What must match | Why it breaks when it drifts |
|---|---|---|
| Controller identity | Rendered controller ServiceAccount name and operator namespace | The JWT role binding and admission-policy subjects stop pointing at the real controller. |
| Projected token mount | The controller Deployment still mounts the openbao-token projected volume | The controller loses its default JWT auth path to OpenBao. |
| JWT audience | OPENBAO_JWT_AUDIENCE, the projected token audience, and the OpenBao role bound_audiences | A valid controller identity still fails auth when the audience contract drifts. |
| Executor identities | Backup, restore, and upgrade Jobs use their own generated ServiceAccounts | Main workload identity does not automatically carry into day 2 executor jobs. |
Reference table
Common failure modes
| Symptom | Most likely boundary | Check first |
|---|---|---|
permission denied when the controller talks to OpenBao | Controller JWT auth or OpenBao role binding | Operator authentication |
| Custom raw-manifest install fails after namespace or prefix changes | Rendered identity drift | Operator installation render verification |
| Backup or restore auth fails while the main cluster stays healthy | Executor Job identity drift | Operator authorization plus backup or restore configuration |
| Tenant onboarding works, but controller access does not | Kubernetes RBAC or RoleBinding introduction | RBAC architecture |
Go deeper
Operator authenticationSee how the projected JWT token, audience, and role binding form the default auth path.Operator authorizationReview which policies belong to controller, backup, restore, and upgrade work.RBAC architectureMove into Kubernetes permission boundaries when the problem is namespace or RoleBinding scoped.
Published release documentation
You are reading docs for version 0.1.0. Use the version menu to switch to next or another archived release.
Was this page helpful?
Use Needs work to open a structured GitHub issue for this page. The Yes button only acknowledges the signal locally.