Background
In issue #35 we implemented namespace-scoped Kubernetes access and deterministic metadata binding to the app landing zone Secrets Manager instance via namespace annotations.
Current state:
stackit.cloud/secretsmanager-instance-id is set on managed namespaces.- This is a stable contract, but does not yet enforce workload-side secret consumption policy.
Goal
Add enforceable controls so workloads in managed namespaces must use the intended Secrets Manager integration path instead of unmanaged plain Kubernetes secrets.
Scope (proposal)
- Define enforcement strategy (admission policy and/or operator pattern).
- Add module-level toggles for enforcement mode.
- Implement policy resources and defaults for namespace-service-enabled landing zones.
- Add tests for allowed/denied paths.
- Document rollout and migration strategy.
Non-goals
- Breaking existing workloads without a migration path.
- Immediate hard-block in all existing namespaces by default.
Acceptance Criteria
- Namespaces managed through namespace service can be configured with enforce mode.
- Direct plain secret usage can be denied (configurable).
- Approved Secrets Manager integration path remains functional.
- Tests cover both compliant and non-compliant examples.
Context
Background
In issue #35 we implemented namespace-scoped Kubernetes access and deterministic metadata binding to the app landing zone Secrets Manager instance via namespace annotations.
Current state:
stackit.cloud/secretsmanager-instance-idis set on managed namespaces.Goal
Add enforceable controls so workloads in managed namespaces must use the intended Secrets Manager integration path instead of unmanaged plain Kubernetes secrets.
Scope (proposal)
Non-goals
Acceptance Criteria
Context