K8s auth backend security/deployment best practices


I am currently using Helm to manage deployments. Helm will create sa for each Pod and I am using single default kubernetes/ auth backend with per-deployment vault role, restricted to Pod sa and namespace. It is a single namespace grouping all services that represents the tenant.

In my understanding current model restricts arbitrary Pod from accessing what it shouldn’t access. Even if someone can override annotations vault role will still require authorised sa JWT unless I am missing something else.

I have two questions related to my current pattern:

  1. Does this pattern make sense and is secure?
  2. Should I stick to single kubernetes/ backend with vault deployed in the same cluster or should have dedicated backend created per-service and what are the potential implications here?